Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: username and Password sent as clear text strings

Re: username and Password sent as clear text strings

From: <jfvanmeter_at_comcast.net>
Date: Thu, 15 May 2008 08:11:17 +0000

Good Morning Everyone and thank you all for you input.

I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning.

I guess part of the problem I'm having with this, is the web app is owned by a very large company, and I just thought they would take the extra measure of hashing or encrypting the password.

Take Care and Have Fun --John

 -------------- Original message ----------------------
From: Todd Haverkos <fsbo_at_haverkos.com>
> jfvanmeter_at_comcast.net writes:
>
> > Hello everyone, and I know this might not be the most correct place to post
> this questions, but I was hoping to get some feedback on what you think the
> potential risk would be and how this this could be exploited.
> >
> > I completed a security review of a web server, that creates a SSL connection
> between the cleint and the server. Using WebScarab, I could see that the
> username and password are sent as clear text strings. The log in to the server
> requires a administrative account.
> >
> > Do you think there is a large amount of risk, in sending the username and
> password as a clear text string, since the pipe is encrypted? I was thinking
> that a man-in-the-middle or sometype of session hijacking attack could allow
> the account to be compromised.
> >
> > I'm working on completing the report for my client and was hoping to get some
> feedback from everyone so I could pose this to them correcly.
> >
> > Thank you in advance --John
>
> Hi John,
>
> Webscarab, like all intercepting web proxy programs I've used on
> https:// sites generally work by performing an intentional "man in the
> middle" between your web browser and the server in order to be able to
> show you what's being submitted to the server. Unless your browser is
> broken or badly configured, you should have gotten a certificate
> mismatch warning when first conencting to the site, and examination of
> the certificate that was presented to the browser will have Webscarab
> written all over.
>
> With that in mind are you _sure_ things are being passed in clear
> text, or are you just saying "hey I can read these form submission
> values just fine in webscarab!" If the latter, I don't think there's
> necessarily a concern, because by the nature of the tool you're using
> and you're okay'ing the certificate warning, you're letting the tool
> sees these values.
>
> Best Regards,
> --
> Todd Haverkos
> http://www.linkedin.com/in/toddhaverkos
>
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 15 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]