Penetration Testing mailing list archives
Re: username and Password sent as clear text strings
From: "Matthew Zimmerman" <mzimmerman () gmail com>
Date: Wed, 21 May 2008 14:40:52 -0400
David, Marvin Simkin said it well; I didn't. On Tue, May 20, 2008 at 4:43 AM, David Howe <DaveHowe.Pentest () googlemail com> wrote:
Matthew Zimmerman wrote:In my opinion, if you want to mitigate this, don't use passwords. Use true challenge-response. Everything else proposed here is either obfuscation or doesn't really work in a web application environment. A VPN around a webserver only works if every user that needs access to that webserver can also access the vpn.that is unfortunately only security though obscurity, and barely worth doing - it raises the bar quite a bit (in that the MiTM attacker must also modify the transmitted page to request a plaintext password instead. a much more demanding task than just recording traffic) but requires that you send javascript, java or flash code to actually do the challenge-response protocol (and manage the inevitable clients who will have that turned off then complain that your site "requires" things they consider a security issue).
Maybe I didn't state it correctly, challenge/response was the wrong term to use. PKI, SecurID, etc. Something that involves something you are or something you have in addition to something you know (e.g., a password). You are correct that obfuscating the password by some client side script/addon will not work. That was not my intention.
Ultimately though, if your attacker can successfully read and modify the browser channel (either using browser plugins or indirectly by intercepting and modifying the page stream via a MiTM attack) or intercept the data entry channel (keyboard/mouse) you have already lost.
Right. You break the SSL tunnel, you also have the user's cookie, which means you don't care about a "password" anymore. The cookie is your password.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs?, (continued)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Newton, Preston (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Rick Zhong (May 17)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 26)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Adriano Leite (DHL CZ) (May 28)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 28)
- Re: username and Password sent as clear text strings David Howe (May 21)
- Re: username and Password sent as clear text strings Matthew Zimmerman (May 22)
- Re: username and Password sent as clear text strings David Howe (May 23)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 17)