Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [WEB SECURITY] SSL does not = a secure website

Re: [WEB SECURITY] SSL does not = a secure website

From: Bill Pennington <bill_at_whitehatsec.com>
Date: Tue, 28 Mar 2006 16:24:12 -0800

I recently ran into the "click on a virtual keyboard" implementation.
This one was all JavaScript based and worked by sending the
coordinates back to the server. It was not any more secure than a
form-based password since the password was basically sent in a URL
string just in the form of coordinates. Replay of the coordinates
worked just fine. I think this product was aimed at stopping the
"Enter your username and password" type fishing attacks.

Now it is true SSL would stop some type of network sniffer from
seeing this traffic however I think it would be trivial for a trojan
to hook into the IE object and just pull click events out from there.
I mean once you can install software on your target there is not much
that can't be done so this are simply a bump in the road from what I
have been able to determine.

On Mar 28, 2006, at 3:16 PM, James Strassburg wrote:

> There are additional countermeasures that a web application can
> implement. For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th
> character of
> your password). I should state that while I've read about these I
> don't
> know of a web application that makes use of them.
>
> James Strassburg
>
> ________________________________
>
> From: Ryan Barnett [mailto:rcbarnett_at_gmail.com]
> Sent: Tuesday, March 28, 2006 8:10 AM
> To: Sebastien Deleersnyder
> Cc: Web Security; webappsec_at_securityfocus.com
> Subject: Re: [WEB SECURITY] SSL does not = a secure website
>
>
>
> On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder_at_ascure.com>
> wrote:
>
> Their is nothing that a website can do to prevent keyloggers on the
> user's machine.
>
> Well, now that I think about it, that is not entirely true...
> Websites
> could front-end their web apps with applications such as Sygate (
> http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
> <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
> which can check the user's computer for some forms of malware
> (including
> keyloggers) and then place the user into a Java virtual machine to
> help
> protect user credentials.
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 

---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 28 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos