Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Penetration Testing
username and Password sent as clear text strings May 14 2008 10:39AM
jfvanmeter comcast net (6 replies)
Re: username and Password sent as clear text strings May 20 2008 12:06AM
Matthew Zimmerman (mzimmerman gmail com) (1 replies)
Re: username and Password sent as clear text strings May 20 2008 08:43AM
David Howe (DaveHowe Pentest googlemail com) (1 replies)
Re: username and Password sent as clear text strings May 21 2008 06:40PM
Matthew Zimmerman (mzimmerman gmail com) (1 replies)
Re: username and Password sent as clear text strings May 23 2008 09:39AM
David Howe (DaveHowe Pentest googlemail com)
Re: username and Password sent as clear text strings May 15 2008 02:35PM
Orlin Gueorguiev (orlin baturov com)
RE: username and Password sent as clear text strings May 15 2008 02:29PM
Jones, David H (Jones David H principal com) (1 replies)
Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 02:46AM
Brahnda A. Eleazar (brahnda e hermisconsulting com) (4 replies)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 17 2008 07:49AM
Rick Zhong (sagiko gmail com) (1 replies)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 26 2008 02:08AM
Brahnda A. Eleazar (brahnda e hermisconsulting com) (1 replies)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 27 2008 07:39AM
Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com) (1 replies)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 29 2008 02:33AM
Brahnda A. Eleazar (brahnda e hermisconsulting com)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 05:08PM
pand0ra (pand0ra usa gmail com) (1 replies)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 09:46PM
pand0ra (pand0ra usa gmail com)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 12:39PM
Newton, Preston (cpnewton eprod com)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 07:08AM
Jon Kibler (Jon Kibler aset com)
RE: username and Password sent as clear text strings May 15 2008 12:33PM
Shenk, Jerry A (jshenk decommunications com)
Re: username and Password sent as clear text strings May 15 2008 03:12AM
Todd Haverkos (fsbo haverkos com) (1 replies)
jfvanmeter (at) comcast (dot) net [email concealed] writes:

> Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John

Hi John,

Webscarab, like all intercepting web proxy programs I've used on
https:// sites generally work by performing an intentional "man in the
middle" between your web browser and the server in order to be able to
show you what's being submitted to the server. Unless your browser is
broken or badly configured, you should have gotten a certificate
mismatch warning when first conencting to the site, and examination of
the certificate that was presented to the browser will have Webscarab
written all over.

With that in mind are you _sure_ things are being passed in clear
text, or are you just saying "hey I can read these form submission
values just fine in webscarab!" If the latter, I don't think there's
necessarily a concern, because by the nature of the tool you're using
and you're okay'ing the certificate warning, you're letting the tool
sees these values.

Best Regards,
--
Todd Haverkos
http://www.linkedin.com/in/toddhaverkos

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

[ reply ]
Collection of problems in production systems while pen-testing - "Butterfly effect" May 27 2008 08:10AM
Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com)
RE: username and Password sent as clear text strings May 15 2008 02:34AM
Shenk, Jerry A (jshenk decommunications com)







 

Privacy Statement
Copyright 2007, SecurityFocus