Penetration Testing mailing list archives

Re: username and Password sent as clear text strings

From: Todd Haverkos <fsbo () haverkos com>
Date: Wed, 14 May 2008 22:12:21 -0500

jfvanmeter () comcast net writes:

Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get 
some feedback on what you think the potential risk would be and how this this could be exploited.

I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using 
WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server 
requires a administrative account.

Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the 
pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack  could allow the 
account to be compromised.

 I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose 
this to them correcly.

Thank you in advance --John


Hi John, 

Webscarab, like all intercepting web proxy programs I've used on
https:// sites generally work by performing an intentional "man in the
middle" between your web browser and the server in order to be able to
show you what's being submitted to the server.  Unless your browser is
broken or badly configured, you should have gotten a certificate
mismatch warning when first conencting to the site, and examination of
the certificate that was presented to the browser will have Webscarab
written all over.

With that in mind are you _sure_ things are being passed in clear
text, or are you just saying "hey I can read these form submission
values just fine in webscarab!"  If the latter, I don't think there's
necessarily a concern, because by the nature of the tool you're using
and you're okay'ing the certificate warning, you're letting the tool
sees these values.

Best Regards, 
--
Todd Haverkos 
http://www.linkedin.com/in/toddhaverkos




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

username and Password sent as clear text strings jfvanmeter (May 14)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- Re: username and Password sent as clear text strings Todd Haverkos (May 15)
  - Collection of problems in production systems while pen-testing - "Butterfly effect" Adriano Leite (DHL CZ) (May 28)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- RE: username and Password sent as clear text strings Jones, David H (May 15)
  - Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)
    - Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Jon Kibler (May 16)
    - RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Newton, Preston (May 16)
    - Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
    - Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
    - Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Rick Zhong (May 17)
    - RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 26)

(Thread continues...)