Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Penetration Testing
username and Password sent as clear text strings May 14 2008 10:39AM
jfvanmeter comcast net (6 replies)
Re: username and Password sent as clear text strings May 20 2008 12:06AM
Matthew Zimmerman (mzimmerman gmail com) (1 replies)
Re: username and Password sent as clear text strings May 20 2008 08:43AM
David Howe (DaveHowe Pentest googlemail com) (1 replies)
Re: username and Password sent as clear text strings May 21 2008 06:40PM
Matthew Zimmerman (mzimmerman gmail com) (1 replies)
David, Marvin Simkin said it well; I didn't.

On Tue, May 20, 2008 at 4:43 AM, David Howe
<DaveHowe.Pentest (at) googlemail (dot) com [email concealed]> wrote:
> Matthew Zimmerman wrote:
>>
>> In my opinion, if you want to mitigate this, don't use passwords. Use
>> true challenge-response. Everything else proposed here is either
>> obfuscation or doesn't really work in a web application environment.
>> A VPN around a webserver only works if every user that needs access to
>> that webserver can also access the vpn.
>
> that is unfortunately only security though obscurity, and barely worth doing
> - it raises the bar quite a bit (in that the MiTM attacker must also modify
> the transmitted page to request a plaintext password instead. a much more
> demanding task than just recording traffic) but requires that you send
> javascript, java or flash code to actually do the challenge-response
> protocol (and manage the inevitable clients who will have that turned off
> then complain that your site "requires" things they consider a security
> issue).
Maybe I didn't state it correctly, challenge/response was the wrong
term to use. PKI, SecurID, etc. Something that involves something
you are or something you have in addition to something you know (e.g.,
a password). You are correct that obfuscating the password by some
client side script/addon will not work. That was not my intention.
>
> Ultimately though, if your attacker can successfully read and modify the
> browser channel (either using browser plugins or indirectly by intercepting
> and modifying the page stream via a MiTM attack) or intercept the data entry
> channel (keyboard/mouse) you have already lost.
Right. You break the SSL tunnel, you also have the user's cookie,
which means you don't care about a "password" anymore. The cookie is
your password.
>

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

[ reply ]
Re: username and Password sent as clear text strings May 23 2008 09:39AM
David Howe (DaveHowe Pentest googlemail com)
Re: username and Password sent as clear text strings May 15 2008 02:35PM
Orlin Gueorguiev (orlin baturov com)
RE: username and Password sent as clear text strings May 15 2008 02:29PM
Jones, David H (Jones David H principal com) (1 replies)
Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 02:46AM
Brahnda A. Eleazar (brahnda e hermisconsulting com) (4 replies)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 17 2008 07:49AM
Rick Zhong (sagiko gmail com) (1 replies)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 26 2008 02:08AM
Brahnda A. Eleazar (brahnda e hermisconsulting com) (1 replies)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 27 2008 07:39AM
Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com) (1 replies)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 29 2008 02:33AM
Brahnda A. Eleazar (brahnda e hermisconsulting com)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 05:08PM
pand0ra (pand0ra usa gmail com) (1 replies)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 09:46PM
pand0ra (pand0ra usa gmail com)
RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 12:39PM
Newton, Preston (cpnewton eprod com)
Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? May 16 2008 07:08AM
Jon Kibler (Jon Kibler aset com)
RE: username and Password sent as clear text strings May 15 2008 12:33PM
Shenk, Jerry A (jshenk decommunications com)
Re: username and Password sent as clear text strings May 15 2008 03:12AM
Todd Haverkos (fsbo haverkos com) (1 replies)
Collection of problems in production systems while pen-testing - "Butterfly effect" May 27 2008 08:10AM
Adriano Leite (DHL CZ) (Adriano Dias Leite dhl com)
RE: username and Password sent as clear text strings May 15 2008 02:34AM
Shenk, Jerry A (jshenk decommunications com)







 

Privacy Statement
Copyright 2008, SecurityFocus