Home page logo

pen-test logo Penetration Testing mailing list archives

RE: pen testing https portal?
From: "Nick Besant" <Nick.Besant () ioko com>
Date: Fri, 8 Sep 2006 11:08:06 +0100

-----Original Message-----
mismail () postmaster co uk
has any ever tested a https portal?

basically i have a client who has constructed a https portal 
to all works logon on from anywhere and access apps and files.

how it works is the username and pw are the users AD logon 
details, the pin is emailed to the user, so for example when 
the user logs on he has a button saying generate pin!

now say for example he has a pin of 1234 when hits generate 
pin a picture comes up like this



so the user find his 1st number in his pin, and types the 
number below it, same with 234 and enters that into the pin field:

username: bloggs

pw: password

pin: 0192

the pin is one time unique! has anyone ever come across a 
setup like this?

sorry for the long post!

hope you can help!

Maybe, few questions first though;

1. You mention a picture comes up - do you mean this is a CAPTCHA[1]
style challenge ?  If so, it's possible you can automate fetching the
numbers with one of the CAPTCHA analysis tools.
2. Is the PIN challenge displayed before or after a successful logon;
i.e. do you have to provide a valid username and password, then go to
the PIN screen, then get access or do you get the PIN screen together
with the logon boxes ?  If it comes up first you could have a go at
doing some pattern analysis.
3. Do you have a valid login + PIN already for the testing ?
4. Have you tried session-based attacks yet ? (although they could be
changing session ID on successful login).

[1] http://en.wikipedia.org/wiki/Captchas


Nick Besant

Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation 
and for other lawful purposes.

Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information 
in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe 
that you are not the intended recipient of this communication, please contact the sender immediately. No employee is 
authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express 
written confirmation.

ioko365 Ltd.  VAT reg 656 2443 31. Reg no 3048367. All rights reserved.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]