Re: username and Password sent as clear text strings

[jfvanmeter () comcast net]

Thanks you, 

Take Care and Have Fun --John


 -------------- Original message ----------------------
From: "Arian J. Evans" <arian.evans () anachronic com>
> Let me summarize the previous responses and be very clear:
>
> This is how web applications work. All of them.
>
> There is no effectively way to "hash or encrypted" the password
> via client-side scripting. There are ways to do it, but in a web
> application all the code to do this is passed to the client from
> the server, making it pointless.
>
> It is similar to the problem in cryptography of passing the key
> with the message, but worse. It's passing the key, algorithm,
> comments, and message all together. In this type of environment
> it's not possible to do this securely.
>
> Hence the use of SSL for transport-layer security.
>
> Now...that said, some folks use SWFs and Adobe Air and such
> for trying to encrypt data in transit, especially if they are using
> AMF or some binary protocol, but again since everything has to
> be passed to the client it is completely trivial to reverse engineer.
>
> So, again, to conclude:
>
> This is how all web applications on the planet work today by design.
>
> You can reply to this if you would like to ask more questions,
> but unfortunately the SF pen-test list is one of the only ones
> that blocks posts from gmail forwarders so I do not think
> that you will see my post on the actual list.
>
> -- 
> -- 
> Arian J. Evans, software security stuff.
>
> I spend most of my money on motorcycles, mistresses, and martinis. The
> rest of it I squander.
>
>
> On Wed, May 14, 2008 at 3:39 AM,  <jfvanmeter () comcast net> wrote:
> > Hello everyone, and I know this might not be the most correct place to post 
> this questions, but I was hoping to get some feedback on what you think the 
> potential risk would be and how this this could be exploited.
> > I completed a security review of a web server, that creates a SSL connection 
> between the cleint and the server. Using WebScarab, I could see that the 
> username and password are sent as clear text strings. The log in to the server 
> requires a administrative account.
> > Do you think there is a large amount of risk, in sending the username and 
> password as a clear text string, since the pipe is encrypted? I was thinking 
> that a man-in-the-middle or sometype of session hijacking attack  could allow 
> the account to be compromised.
> >  I'm working on completing the report for my client and was hoping to get some 
> feedback from everyone so I could pose this to them correcly.
> > Thank you in advance --John


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------