WebApp Sec mailing list archives
RE: Passing Credentials in the clear- Possible fixes
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Mon, 28 Feb 2005 08:11:34 +1100
If your firm is like most, they will have activity audit requirements for infrastructue and user activity. Simply put, you can't get much reliability in audit trails by logging and securing things at an infrastructure level, then assume that the application is safely audited, user-level auditing also needs to occur in the applications layer. Credentials passed in the clear are invitations for misuse of credentials, invalidating the value of any application audits. Anything from a simple user/password/sessionID hash up to an electronic signature solution (not necessarily PKI based) will do, usin SSL to encapsulate the traffic away from sniffing eyes. Lyal -----Original Message----- From: Jeff [mailto:pen_tester () adelphia net] Sent: Saturday, 26 February 2005 1:38 PM To: webappsec () securityfocus com Subject: Passing Credentials in the clear- Possible fixes I'm conducting an application assessment for a portal app that is going to be rolled out shortly. All users allowed access to the home page without authenticating. To get to the customizable portlets they must authenticate. I discovered today that the user credentials are being passed in the clear. When I present this finding I'm expecting some push back from the application team about how "it's not their problem. It's up to the infrastructure group to come up with a solution (i.e. https enabled servers, network encryption devices, etc.)" My question is this - Are there any possible solutions I could present to the application team as to how they can fix the problem via a coding change instead of letting them lay the responsibility for securing their information off on another group? The portal is Java based if that makes a difference. Any info appreciated. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.0 - Release Date: 2/25/2005
Current thread:
- Passing Credentials in the clear- Possible fixes Jeff (Feb 28)
- RE: Passing Credentials in the clear- Possible fixes Lyal Collins (Feb 28)