SecurityFocus

username and Password sent as clear text strings May 14 2008 10:39AM
jfvanmeter comcast net (6 replies)

Re: username and Password sent as clear text strings May 20 2008 12:06AM
Matthew Zimmerman (mzimmerman gmail com) (1 replies)

In my opinion, if you want to mitigate this, don't use passwords. Use
true challenge-response. Everything else proposed here is either
obfuscation or doesn't really work in a web application environment.
A VPN around a webserver only works if every user that needs access to
that webserver can also access the vpn.

This situation should NOT be described as a 'password in cleartext'.
If you call SSL encryption (when using a decent symmetric algorithm),
then this is not a cleartext issue... You've committed a
man-in-the-middle attack by being the client AND the
man-in-the-middle... That doesn't really get you anything. If you
control the client, you control the connection. In this case, you
told your client to trust a self-signed certificate with the name of
"WebScarab" when you went to "OtherSite.

Follow NIST SP 800-63 for more guidance --
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1

Matt Zimmerman

On Wed, May 14, 2008 at 6:39 AM, <jfvanmeter (at) comcast (dot) net [email concealed]> wrote:
> Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------

> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

[ reply ]

Re: username and Password sent as clear text strings May 20 2008 08:43AM
David Howe (DaveHowe Pentest googlemail com) (1 replies)

Re: username and Password sent as clear text strings May 21 2008 06:40PM
Matthew Zimmerman (mzimmerman gmail com) (1 replies)

Re: username and Password sent as clear text strings May 23 2008 09:39AM
David Howe (DaveHowe Pentest googlemail com)

Re: username and Password sent as clear text strings May 15 2008 02:35PM
Orlin Gueorguiev (orlin baturov com)

RE: username and Password sent as clear text strings May 15 2008 02:29PM
Jones, David H (Jones David H principal com) (1 replies)

Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 02:46AM
Brahnda A. Eleazar (brahnda e hermisconsulting com) (4 replies)

Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 17 2008 07:49AM
Rick Zhong (sagiko gmail com) (1 replies)

RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 26 2008 02:08AM
Brahnda A. Eleazar (brahnda e hermisconsulting com) (1 replies)

RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 27 2008 07:39AM
Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com) (1 replies)

RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 29 2008 02:33AM
Brahnda A. Eleazar (brahnda e hermisconsulting com)

Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 05:08PM
pand0ra (pand0ra usa gmail com) (1 replies)

Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 09:46PM
pand0ra (pand0ra usa gmail com)

RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 12:39PM
Newton, Preston (cpnewton eprod com)

Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 07:08AM
Jon Kibler (Jon Kibler aset com)

RE: username and Password sent as clear text strings May 15 2008 12:33PM
Shenk, Jerry A (jshenk decommunications com)

Re: username and Password sent as clear text strings May 15 2008 03:12AM
Todd Haverkos (fsbo haverkos com) (1 replies)

Collection of problems in production systems while pen-testing - "Butterfly effect" May 27 2008 08:10AM
Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com)

RE: username and Password sent as clear text strings May 15 2008 02:34AM
Shenk, Jerry A (jshenk decommunications com)