Penetration Testing mailing list archives
username and Password sent as clear text strings
From: jfvanmeter () comcast net
Date: Wed, 14 May 2008 10:39:51 +0000
Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited. I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account. Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised. I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose this to them correcly. Thank you in advance --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- username and Password sent as clear text strings jfvanmeter (May 14)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- Re: username and Password sent as clear text strings Todd Haverkos (May 15)
- Collection of problems in production systems while pen-testing - "Butterfly effect" Adriano Leite (DHL CZ) (May 28)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- RE: username and Password sent as clear text strings Jones, David H (May 15)
- Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Jon Kibler (May 16)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Newton, Preston (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)