WebApp Sec mailing list archives

RE: Growing Bad Practice with Login Forms

From: "Dan C Crawford" <dcc_secure () tabanet com>
Date: Tue, 27 Jul 2004 08:08:49 -0700

I just ran a packet capture of logging into a service that uses a nearly
identical form as found on ISACA. It definitely setup the secure SSL
connection prior to transmitting my logon data.

Dan 

Ps> Don't even ask for the packet data.

-----Original Message-----
From: Ian [mailto:webappsec2 () fishnet co uk] 
Sent: Tuesday, July 27, 2004 7:13 AM
To: Mark Curphey; webappsec () securityfocus com
Subject: Re: Growing Bad Practice with Login Forms


On 27 Jul 2004 at 9:55, Mark Curphey wrote:

I am seeing more and more sites implementing a bad practice with login 
forms.

To pick on a high profile site that should know better take ISACA as 
an example.

http://www.isaca.org/

In the top left hand corner you will see their secure login button and 
a graphical padlock embedded into the HTML. Of course if you look at 
the form tags, this does indeed submit the form over SSL and in the 
process the SSL handshake checks the certificate and my browser should 
verify that I am indeed sending my password to isaca.org.

But at that point its too late. The check for server authentication is 
done after I have sent by username and password. This IMHO is a bad 
practice that has started to creep into other sites including online 
banking.

I have added the issue to the OWASP Pen Test CheckList.


Hi,

It was my understanding that the SSL session is initiated before any request
is sent.  Therefore 
the username / password would be protected since any failure in the
handshake would occur ( 
and be flagged by your browser ) before the data is sent.


Please correct me if I'm wrong because I may need to do some updates... ;)

Regards

Ian
-- 



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.726 / Virus Database: 481 - Release Date: 7/22/2004

Current thread:

Re: Growing Bad Practice with Login Forms, (continued)
- - Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
  - Re: Growing Bad Practice with Login Forms Devin Heitmueller (Jul 27)
    - Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
    - Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 27)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 28)
  - RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
    - RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Ian (Jul 27)
  - RE: Growing Bad Practice with Login Forms Dan C Crawford (Jul 27)
    - successful anonymous login Jose Rivera (Jul 27)
    - Re: successful anonymous login Adam Tuliper (Jul 27)
    - RE: successful anonymous login Jose Rivera (Jul 27)
    - Re: successful anonymous login Adam Tuliper (Jul 27)
    - RE: successful anonymous login Jose Rivera (Jul 27)
    - RE: successful anonymous login dave kleiman (Jul 27)
    - RE: successful anonymous login Yaakov Yehudi (Jul 28)
    - RE: successful anonymous login V. Poddubnyy (Jul 27)
    - Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
    - RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)

(Thread continues...)