WebApp Sec: RE: Securing password between webserver & appserver.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

RE: Securing password between webserver & appserver.

From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Tue, 8 Sep 2009 07:16:29 +0100

You are right.  Without changing your 
architecture or requirements you would 
have to have the client encrypt the 
message before sending it through an 
untrusted web server.


Just stating the obvious here though; if the web server is genuinely
untrusted, then logically none of this can be secured anyway.

An attacker at the web server is a classic MITM. All they need to do is
remove the client side auth code as it passes on the way out to the
client, and then they will always receive a clear-text password back
from the client. POW!

If you don't trust the server, then a web delivery mechanism probably
isn't the right architecture at all.

Martin...

By Date By Thread

Current thread:

Re: Securing password between webserver & appserver., (continued)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
  - Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
    - RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)