Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Login credentials and session id security

Re: Login credentials and session id security

From: David Wall <dwall_at_yozons.com>
Date: Fri, 08 Jun 2007 11:24:34 -0700

Keep in mind that hidden input fields are visible to the user (view page
source), so if it's their credentials, then no problem, but they can be
viewed and re-used if that's a design issue.

Also, GET requests submit their params on the query line, so they are
often logged in web server logs, thus turning what may be SSL encrypted
over the wire to cleartext in the web server log (or your own logs if
you also record the URL used). They are also stored in the browser's cache.

HTTPS POST is your best bet for transferring data. If the user is
tricked, then the credentials will be stolen (this is what phishing
attacks are all about), but if the user goes to your web site over HTTPS
and is paying attention, he should notice whether he's connected to your
secure web server or not. If so, then a proxy on his end shouldn't
matter.

Some have used two-phase logins to help users detect phishing sites, but
users who are tricked by such attacks probably won't be savvy enough to
really appreciate the two-phase login. With two-phase login, the user
first identifies himself without giving up the password, and the system
responds with some data (picture, DOB or some user-chosen quotation are
common) that it knows about the user, figuring that a phishing site
won't know this and thus cannot provide that response before the user
enters the password.

Good luck. Please realize that most every e-commerce sites "suffer"
from this, so it's not just your problem, but then remind yourself that
banks, stock brokers, Amazon.com, Google Adwords, PayPal, etc. all have
this issue, too, and they are very successful despite it all. Be sure
to balance real risk with any solution that makes it harder to use.
Banks don't make their customers go through metal detectors because the
trade off in added security outweighs the atmosphere banks are trying to
portray.

David

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
Received on Jun 10 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos