If I remember correctly, WebScarab fakes a certificate, and you are able
to see credentials in clear text. I would try using a regular passive
packet sniffer and see if the credentials are still being passed in
clear text.

David Jones
Principal Financial Group
I/S Information Security
711 High Street
Des Moines, IA 50392-0257

Email: jones.david.h (at) principal (dot) com [email concealed]
Phone: 515.362.2224

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of jfvanmeter (at) comcast (dot) net [email concealed]
Sent: Wednesday, May 14, 2008 5:40 AM
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: username and Password sent as clear text strings

Hello everyone, and I know this might not be the most correct place to
post this questions, but I was hoping to get some feedback on what you
think the potential risk would be and how this this could be exploited.

I completed a security review of a web server, that creates a SSL
connection between the cleint and the server. Using WebScarab, I could
see that the username and password are sent as clear text strings. The
log in to the server requires a administrative account.

Do you think there is a large amount of risk, in sending the username
and password as a clear text string, since the pipe is encrypted? I was
thinking that a man-in-the-middle or sometype of session hijacking
attack could allow the account to be compromised.

I'm working on completing the report for my client and was hoping to
get some feedback from everyone so I could pose this to them correcly.

Thank you in advance --John

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect (at) principal (dot) com [email concealed] and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

[ reply ]