Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: username and Password sent as clear text strings

Re: username and Password sent as clear text strings

From: <jfvanmeter_at_comcast.net>
Date: Mon, 19 May 2008 07:24:41 +0000

thank you Alvind, the web app is owned by a very large company not my client and that was one of the things my cleint could not comprehend is why the company did not hash the password in the first place.

Yes both the client and servers would need the IPSEC rule, my client is a Windows shop, so they could leverage group policy to push out the IPSEC settings to the environment.

Take Care and Have Fun --John

 -------------- Original message ----------------------
From: "arvind doraiswamy" <arvind.doraiswamy_at_gmail.com>
> Hey John,
> I think this is a very common problem and after reading through
> everything on this thread there's just 2 things that come to mind:
>
> 1) What you said -- Usage of IPSec end to end. Wouldn't that mean that
> everyone who accesses this application(read internal users) also have
> to use IPsec? You might want to look at whether the internal
> switches/backbone is good enough to take that load or at least mention
> the same to the client.
>
> 2) A much much simpler solution is to implement a salted has scheme on
> the client side which means "Javascript". So as soon as you enter your
> username and password and hit OK the details go to the has function in
> Javascript -- get "encrypted" and go out. NOw when it "goes out" it
> hits Webscarab -- but since its already "encrypted" Webscarab though
> it intercepts stuff just sees the "encrypted/hashed" traffic. This
> hence greatly reduces the risk; even if someone managed to somehow
> convince a user to send traffic out through some untrusted proxy.
>
> The risk is there..specially in shared environments like cyber cafes
> where you could well be sending data through who knows where if you're
> not careful but really its low risk IMHO. Shd be reported -- but low
> risk.
>
> Cheers
> Arvind
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 19 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]