Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: username and Password sent as clear text strings

Re: username and Password sent as clear text strings

From: <jfvanmeter_at_comcast.net>
Date: Fri, 16 May 2008 22:19:54 +0000

Thanks you,

Take Care and Have Fun --John

 -------------- Original message ----------------------
From: "Arian J. Evans" <arian.evans_at_anachronic.com>
> Let me summarize the previous responses and be very clear:
>
> This is how web applications work. All of them.
>
> There is no effectively way to "hash or encrypted" the password
> via client-side scripting. There are ways to do it, but in a web
> application all the code to do this is passed to the client from
> the server, making it pointless.
>
> It is similar to the problem in cryptography of passing the key
> with the message, but worse. It's passing the key, algorithm,
> comments, and message all together. In this type of environment
> it's not possible to do this securely.
>
> Hence the use of SSL for transport-layer security.
>
> Now...that said, some folks use SWFs and Adobe Air and such
> for trying to encrypt data in transit, especially if they are using
> AMF or some binary protocol, but again since everything has to
> be passed to the client it is completely trivial to reverse engineer.
>
> So, again, to conclude:
>
> This is how all web applications on the planet work today by design.
>
> You can reply to this if you would like to ask more questions,
> but unfortunately the SF pen-test list is one of the only ones
> that blocks posts from gmail forwarders so I do not think
> that you will see my post on the actual list.
>
> --
> --
> Arian J. Evans, software security stuff.
>
> I spend most of my money on motorcycles, mistresses, and martinis. The
> rest of it I squander.
>
>
> On Wed, May 14, 2008 at 3:39 AM, <jfvanmeter_at_comcast.net> wrote:
> > Hello everyone, and I know this might not be the most correct place to post
> this questions, but I was hoping to get some feedback on what you think the
> potential risk would be and how this this could be exploited.
> >
> > I completed a security review of a web server, that creates a SSL connection
> between the cleint and the server. Using WebScarab, I could see that the
> username and password are sent as clear text strings. The log in to the server
> requires a administrative account.
> >
> > Do you think there is a large amount of risk, in sending the username and
> password as a clear text string, since the pipe is encrypted? I was thinking
> that a man-in-the-middle or sometype of session hijacking attack could allow
> the account to be compromised.
> >
> > I'm working on completing the report for my client and was hoping to get some
> feedback from everyone so I could pose this to them correcly.
> >
> > Thank you in advance --John

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 16 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]