Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: username and Password sent as clear text strings

Re: username and Password sent as clear text strings

From: Matthew Zimmerman <mzimmerman_at_gmail.com>
Date: Mon, 19 May 2008 20:06:13 -0400

In my opinion, if you want to mitigate this, don't use passwords. Use
true challenge-response. Everything else proposed here is either
obfuscation or doesn't really work in a web application environment.
A VPN around a webserver only works if every user that needs access to
that webserver can also access the vpn.

This situation should NOT be described as a 'password in cleartext'.
If you call SSL encryption (when using a decent symmetric algorithm),
then this is not a cleartext issue... You've committed a
man-in-the-middle attack by being the client AND the
man-in-the-middle... That doesn't really get you anything. If you
control the client, you control the connection. In this case, you
told your client to trust a self-signed certificate with the name of
"WebScarab" when you went to "OtherSite.

Follow NIST SP 800-63 for more guidance --
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1

Matt Zimmerman

On Wed, May 14, 2008 at 6:39 AM, <jfvanmeter_at_comcast.net> wrote:
> Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 19 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]