Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Pentesting Single Sign-On Solutions
From: admin () systemstates net
Date: Sun, 29 Jun 2008 05:18:55 -0700

-------- Original Message --------
Subject: Pentesting Single Sign-On Solutions
From: Joseph McCray <joe () learnsecurityonline com>
Date: Fri, June 27, 2008 9:02 am
To: pen-test <pen-test () securityfocus com>

Figured I'd check in with all of you out there in Pentest land.

Have any of you ever pentested a single sign-on solution. I have an
opportunity to test one soon. I'm looking for ideas, and feedback from
anyone that's done this or something similar.

The problem is that 'single sign-on' has been hijacked to mean all sorts
of things - from many systems which all have synchronized passwords
(arguably wrong usage), to many systems which all authenticate against a
single database, such as LDAP (also, arguably wrong), to systems which
trust a central authority when it passes them your username, through to
"real" single sign-on like kerberos.

Personally, I think that only the kerberos-type solutions are real
single sign-on, but I have heard all of the above being described as
such. So, first question is, true single sign-on, or marketing speak ?

Kerberos is pretty robust in many ways, but obviously weak passwords can
still be a problem. Also, if you can compromise a machine, you may be
able to steal tokens - though these will only be valid for a limited


www.systemstates.net - penetration test / IDS / incident response

This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]