Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: pen testing https portal?
From: "Richard Braganza" <iwtb0202 () googlemail com>
Date: Mon, 11 Sep 2006 19:34:59 +0100

Check out PINSafe by Swivel Secure (2 factor - unique PIN sent by email or sms)
I found it during some app testing
It looked very good apart from the way it was implemented:Badly, it
allowed DoS any logged in user, by logging them off if incorrect
numbers entered. The product was not to blame IMHO - only how it was
integrated to the web site
Best Regards
RARB

On 9 Sep 2006 19:35:47 -0000, mismail () postmaster co uk
<mismail () postmaster co uk> wrote:
no basically 1234 is PIN they refer to, so when they click on the generate
pin button they find the number under 1234 and enter that as there pin, the
number they enter will always change, so if some if walking past and see's
your logon details, they cant logon, cos its a new number you'd have type in
again!

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault