Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: username and Password sent as clear text strings

RE: username and Password sent as clear text strings

From: <dseth_at_comcast.net>
Date: Fri, 16 May 2008 02:02:52 +0000

use a company called Microdasys if you want to mitigate that problem.

 -------------- Original message ----------------------
From: "Shenk, Jerry A" <jshenk_at_decommunications.com>
> That's certainly not ideal but it seems pretty common. The whole idea
> of SSL is to encrypt the traffic en-route so that makes it all ok,
> right;) The whole burden rests on doing SSL right and never having the
> user click ok on one of those boxes about the SSL hostname not matching.
> So, obviously it's a big deal if the ssl certificate is valid so they
> aren't training user to ignore those warnings. One other thing to check
> is that SSL is actually required. What happens if you go to the login
> page and manually switch it back to http - does it let you go? It seems
> like a lot of people kindof take that as an acceptable risk. It depends
> what is being encrypted...requiring an administrative account be used in
> that manner seems to add quite a bit to the to the risk. It needs to be
> a business decision....I'd try to build a reasonable scenario that would
> allow an attacker to gain access and then let the customer weigh the
> value of the data and the likelihood that someone will be that
> interested against the difficulty of the attack.
>
> BTW, this sounds like a great point to throw in a little discussion
> about how well the monitor their logs and how quickly they'd catch an
> attack or even an attempted attack.
>
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
> On Behalf Of jfvanmeter_at_comcast.net
> Sent: Wednesday, May 14, 2008 6:40 AM
> To: pen-test_at_securityfocus.com
> Subject: username and Password sent as clear text strings
>
> Hello everyone, and I know this might not be the most correct place to
> post this questions, but I was hoping to get some feedback on what you
> think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL
> connection between the cleint and the server. Using WebScarab, I could
> see that the username and password are sent as clear text strings. The
> log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username
> and password as a clear text string, since the pipe is encrypted? I was
> thinking that a man-in-the-middle or sometype of session hijacking
> attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to
> get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended for the use
> of the individual or entity to which they are addressed and may contain
> information that is privileged, proprietary and confidential. If you are not the
> intended recipient, you may not use, copy or disclose to anyone the message or
> any information contained in the message. If you have received this
> communication in error, please notify the sender and delete this e-mail message.
> The contents do not represent the opinion of D&E except to the extent that it
> relates to their official business.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 15 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]