WebApp Sec mailing list archives

RE: Growing Bad Practice with Login Forms

From: "Stan Guzik" <SGuzik () ImmediaTech com>
Date: Tue, 27 Jul 2004 10:20:41 -0400

Once you enter the site they set their cookie without SSL.  This is not
a good practice because it leaves the cookie (maybe session management)
open to a sniffing attack.

-----Original Message-----
From: Mark Curphey [mailto:mark () curphey com] 
Sent: Tuesday, July 27, 2004 9:56 AM
To: webappsec () securityfocus com
Subject: Growing Bad Practice with Login Forms

I am seeing more and more sites implementing a bad practice with login
forms.

To pick on a high profile site that should know better take ISACA as an
example.

http://www.isaca.org/

In the top left hand corner you will see their secure login button and a
graphical padlock embedded into the HTML. Of course if you look at the
form
tags, this does indeed submit the form over SSL and in the process the
SSL
handshake checks the certificate and my browser should verify that I am
indeed sending my password to isaca.org. 

But at that point its too late. The check for server authentication is
done
after I have sent by username and password. This IMHO is a bad practice
that
has started to creep into other sites including online banking. 

I have added the issue to the OWASP Pen Test CheckList.

Current thread:

Re: Growing Bad Practice with Login Forms, (continued)
- Re: Growing Bad Practice with Login Forms Andrew Steingruebl (Jul 27)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
  - RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
    - Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
    - Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- Re: Growing Bad Practice with Login Forms Paul Johnston (Jul 28)
- RE: Growing Bad Practice with Login Forms Stan Guzik (Jul 27)
  - RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
    - Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- RE: Growing Bad Practice with Login Forms Lane Weast (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
  - Summary: Growing Bad Practice with Login Forms athena (Jul 27)
    - Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
    - Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
    - Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
    - Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
    - RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)

(Thread continues...)