Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: username and Password sent as clear text strings

From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Sun, 18 May 2008 15:35:44 -0400
It would not be necessary for "everyone who accesses this application"
to access it through the ipsec VPN.  The VPN could terminate on a PIX or
ASA for example and give external users access through the VPN while
local users could access the web server directly.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of arvind doraiswamy
Sent: Sunday, May 18, 2008 2:00 AM
To: pen-test () securityfocus com
Subject: Re: username and Password sent as clear text strings

Hey John,
I think this is a very common problem and after reading through
everything on this thread there's just 2 things that come to mind:

1) What you said -- Usage of IPSec end to end. Wouldn't that mean that
everyone who accesses this application(read internal users) also have
to use IPsec? You might want to look at whether the internal
switches/backbone is good enough to take that load or at least mention
the same to the client.

2) A much much simpler solution is to implement a salted has scheme on
the client side which means "Javascript". So as soon as you enter your
username and password and hit OK the details go to the has function in
Javascript -- get "encrypted" and go out. NOw when it "goes out" it
hits Webscarab -- but since its already "encrypted" Webscarab though
it intercepts stuff just sees the "encrypted/hashed" traffic. This
hence greatly reduces the risk; even if someone managed to somehow
convince a user to send traffic out through some untrusted proxy.

The risk is there..specially in shared environments like cyber cafes
where you could well be sending data through who knows where if you're
not careful but really its low risk IMHO. Shd be reported -- but low
risk.

Cheers
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: