|
Penetration Testing
username and Password sent as clear text strings May 14 2008 10:39AM jfvanmeter comcast net (6 replies) Re: username and Password sent as clear text strings May 20 2008 12:06AM Matthew Zimmerman (mzimmerman gmail com) (1 replies) Re: username and Password sent as clear text strings May 20 2008 08:43AM David Howe (DaveHowe Pentest googlemail com) (1 replies) Re: username and Password sent as clear text strings May 21 2008 06:40PM Matthew Zimmerman (mzimmerman gmail com) (1 replies) Re: username and Password sent as clear text strings May 23 2008 09:39AM David Howe (DaveHowe Pentest googlemail com) RE: username and Password sent as clear text strings May 15 2008 02:29PM Jones, David H (Jones David H principal com) (1 replies) Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 02:46AM Brahnda A. Eleazar (brahnda e hermisconsulting com) (4 replies) Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 17 2008 07:49AM Rick Zhong (sagiko gmail com) (1 replies) RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 26 2008 02:08AM Brahnda A. Eleazar (brahnda e hermisconsulting com) (1 replies) RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 27 2008 07:39AM Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com) (1 replies) RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 29 2008 02:33AM Brahnda A. Eleazar (brahnda e hermisconsulting com) Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 05:08PM pand0ra (pand0ra usa gmail com) (1 replies) Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 09:46PM pand0ra (pand0ra usa gmail com) RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 12:39PM Newton, Preston (cpnewton eprod com) Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 07:08AM Jon Kibler (Jon Kibler aset com) RE: username and Password sent as clear text strings May 15 2008 12:33PM Shenk, Jerry A (jshenk decommunications com) Re: username and Password sent as clear text strings May 15 2008 03:12AM Todd Haverkos (fsbo haverkos com) (1 replies) Collection of problems in production systems while pen-testing - "Butterfly effect" May 27 2008 08:10AM Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com) RE: username and Password sent as clear text strings May 15 2008 02:34AM Shenk, Jerry A (jshenk decommunications com) |
|
|
Privacy Statement |
Well... you are not really sending the password in clear text.
Normally sending the password, be it encrypted or not, is thought to be an
vulnerability by itself, because if someone manages to break your encryption
(for example man in the middle as you suggested, or breaking the key, or
getting it from somewhere), he will get your root password. Thus it is
thought to use some other way of checking if the password is correct:
hashing, challange-responce, encrypting.
Cheers,
Orlin
Ðа Wednesday 14 May 2008 12:39:51 jfvanmeter (at) comcast (dot) net [email concealed] напиÑа:
> Hello everyone, and I know this might not be the most correct place to post
> this questions, but I was hoping to get some feedback on what you think the
> potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL
> connection between the cleint and the server. Using WebScarab, I could see
> that the username and password are sent as clear text strings. The log in
> to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username and
> password as a clear text string, since the pipe is encrypted? I was
> thinking that a man-in-the-middle or sometype of session hijacking attack
> could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to get
> some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
[ reply ]