Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Must we authenticate login forms (using SSL?)?
From: Antoine Martin <antoine () nagafix co uk>
Date: Fri, 30 Sep 2005 14:44:32 +0100
e.g. My bank logon script performs an MD5 hash of the username and 
password before sending it to the bank. The MITM tricks me to visiting 
their own site, and just "proxies" the comms to the real site. However, 
they strip out the MD5 hashing script,and replace it with an "identity" 
function (i.e. the output is the same as the input). When the MITM 
receives the form submission, it is trivial for them to extract the 
username and password from the form, replace it with the MD5 hash 
expected, and pass it on to the real bank.

Absolutely, that's why in my post I had said:
"The session can still be hijacked but at least the original 
password is safer (as stealing it requires more work than 
just listening in)."

There is still some value in the approach suggested above, in the
context where the attacker can listen on the line but not proxy the real
server (and therefore not modify the page - not easily anyway).

Regards
Antoine

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]