Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: username and Password sent as clear text strings

From: Marvin Simkin <Marvin.Simkin () asu edu>
Date: Mon, 19 May 2008 11:40:12 -0700
A much much simpler solution is to implement a salted has scheme on the client side which means "Javascript". So as 
soon as you enter your username and password and hit OK the details go to the has function in Javascript -- get 
"encrypted" and go out. NOw when it "goes out" it hits Webscarab -- but since its already "encrypted" Webscarab 
though it intercepts stuff just sees the "encrypted/hashed" traffic. This hence greatly reduces the risk; even if 
someone managed to somehow convince a user to send traffic out through some untrusted proxy.


https was developed to resist eavesdropping, and to help you know if you are talking to your intended party or a 
middleman. So if anyone is able to listen in and see the clear text password, they've broken https. Not saying that's 
impossible... just keep in mind under this scenario https has been compromised somehow already. Likewise if you have a 
middleman able to alter traffic as it goes by.

Now, you're going to send from the server to the client a javascript code to encrypt the password. If your attacker can 
only listen, he can read the javascript code. If he is a middleman, he can actually DELETE your javascript code on its 
way to the client and tell the client to use plain text after all.

So how are you going to give your client an encryption key without the attacker seeing it? Oh, no, you're just going to 
use a hash algorithm, send the hash, and compare it with a computed hash on the server end. But the attacker can snag 
the hashed password and use it henceforth as the key to your server. He doesn't need to reverse the hash to get the 
original password, because the server is not expecting the password, just the hash.

Key management, identifying trusted parties, developing good encryption routines... these are all hard problems that 
have been well studied, and the result is... https.

If you have an idea for something that is more solid than https, perhaps we should be talking about enhancing https.

Marvin Simkin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: