Good Morning Everyone and thank you all for you input.
I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning.
I guess part of the problem I'm having with this, is the web app is owned by a very large company, and I just thought they would take the extra measure of hashing or encrypting the password.
Take Care and Have Fun --John
-------------- Original message ----------------------
From: Todd Haverkos <fsbo (at) haverkos (dot) com [email concealed]>
> jfvanmeter (at) comcast (dot) net [email concealed] writes:
>
> > Hello everyone, and I know this might not be the most correct place to post
> this questions, but I was hoping to get some feedback on what you think the
> potential risk would be and how this this could be exploited.
> >
> > I completed a security review of a web server, that creates a SSL connection
> between the cleint and the server. Using WebScarab, I could see that the
> username and password are sent as clear text strings. The log in to the server
> requires a administrative account.
> >
> > Do you think there is a large amount of risk, in sending the username and
> password as a clear text string, since the pipe is encrypted? I was thinking
> that a man-in-the-middle or sometype of session hijacking attack could allow
> the account to be compromised.
> >
> > I'm working on completing the report for my client and was hoping to get some
> feedback from everyone so I could pose this to them correcly.
> >
> > Thank you in advance --John
>
> Hi John,
>
> Webscarab, like all intercepting web proxy programs I've used on
> https:// sites generally work by performing an intentional "man in the
> middle" between your web browser and the server in order to be able to
> show you what's being submitted to the server. Unless your browser is
> broken or badly configured, you should have gotten a certificate
> mismatch warning when first conencting to the site, and examination of
> the certificate that was presented to the browser will have Webscarab
> written all over.
>
> With that in mind are you _sure_ things are being passed in clear
> text, or are you just saying "hey I can read these form submission
> values just fine in webscarab!" If the latter, I don't think there's
> necessarily a concern, because by the nature of the tool you're using
> and you're okay'ing the certificate warning, you're letting the tool
> sees these values.
>
> Best Regards,
> --
> Todd Haverkos
> http://www.linkedin.com/in/toddhaverkos
>
>
>
I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning.
I guess part of the problem I'm having with this, is the web app is owned by a very large company, and I just thought they would take the extra measure of hashing or encrypting the password.
Take Care and Have Fun --John
-------------- Original message ----------------------
From: Todd Haverkos <fsbo (at) haverkos (dot) com [email concealed]>
> jfvanmeter (at) comcast (dot) net [email concealed] writes:
>
> > Hello everyone, and I know this might not be the most correct place to post
> this questions, but I was hoping to get some feedback on what you think the
> potential risk would be and how this this could be exploited.
> >
> > I completed a security review of a web server, that creates a SSL connection
> between the cleint and the server. Using WebScarab, I could see that the
> username and password are sent as clear text strings. The log in to the server
> requires a administrative account.
> >
> > Do you think there is a large amount of risk, in sending the username and
> password as a clear text string, since the pipe is encrypted? I was thinking
> that a man-in-the-middle or sometype of session hijacking attack could allow
> the account to be compromised.
> >
> > I'm working on completing the report for my client and was hoping to get some
> feedback from everyone so I could pose this to them correcly.
> >
> > Thank you in advance --John
>
> Hi John,
>
> Webscarab, like all intercepting web proxy programs I've used on
> https:// sites generally work by performing an intentional "man in the
> middle" between your web browser and the server in order to be able to
> show you what's being submitted to the server. Unless your browser is
> broken or badly configured, you should have gotten a certificate
> mismatch warning when first conencting to the site, and examination of
> the certificate that was presented to the browser will have Webscarab
> written all over.
>
> With that in mind are you _sure_ things are being passed in clear
> text, or are you just saying "hey I can read these form submission
> values just fine in webscarab!" If the latter, I don't think there's
> necessarily a concern, because by the nature of the tool you're using
> and you're okay'ing the certificate warning, you're letting the tool
> sees these values.
>
> Best Regards,
> --
> Todd Haverkos
> http://www.linkedin.com/in/toddhaverkos
>
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
[ reply ]