RE: Client/Server application that does not authenticate users

From: Dinis Cruz (dinis_at_ddplus.net)
Date: 08/14/04

  • Next message: Dinis Cruz: "RE: Client/Server application that does not authenticate users"
    To: "'Brian Erdelyi'" <brian_erdelyi@yahoo.com>, <pen-test@securityfocus.com>
    Date: Sat, 14 Aug 2004 00:29:08 +0100
    
    

    I knew of an web app that got the username for the user variable "Username"

    Guess what would happen in you typed in the client workstation "Set
    Username=Admin" :)

    For guidelines check out the OWASP documents: Top 10
    (http://www.owasp.org/documentation/topten.html), Testing guide
    (http://www.owasp.org/documentation/testing.html), the ISO 17799 Project
    (http://www.owasp.org/standards/iso17799.html) and the app sec FAQ
    (http://www.owasp.org/documentation/faq.html)

    Hope this helps

    Best regards

    Dinis Cruz
    .Net Security Consultant
    DDPlus

    > -----Original Message-----
    > From: Brian Erdelyi [mailto:brian_erdelyi@yahoo.com]
    > Sent: 13 August 2004 11:58
    > To: Dinis Cruz; pen-test@securityfocus.com
    > Subject: RE: Client/Server application that does not authenticate users
    >
    > I am working with the vendor on this. Unfortunately,
    > I was assured by the cendor that the application does
    > authenticate users and uses accesscontrol lists to
    > assign permissions. They claimed I was was using an
    > uncommon interpretation of the term "authentication".
    > The next level of support disagreed with my use of the
    > term "vulnerability".
    >
    > The server does ask for a username (the client
    > automatically forwards the Windows username of the
    > currently logged on computer) but no password is
    > requested or sent at any point. This is by design of
    > the application (which from my perspective is
    > seriously flawed for an application that allows users
    > to sell and trade millions of dollars worth of bonds).
    >
    > I will give the vendor some time to analyse the
    > description I have provided to them and respond.
    >
    > I'd like to provide some very specific suggestions and
    > guidance on how other applications are designed and
    > coded to authenticate users.
    >
    > Is there an RFC on secure programming?
    >
    >
    >
    > --- Dinis Cruz <dinis@ddplus.net> wrote:
    >
    > > Quite common.
    > >
    > > The other major mistake that most do is to rely on
    > > the Client's GUI to
    > > enforce the 'security boundaries' of the client
    > > application (for example:
    > > they rely on the fact that the user's GUI doesn't
    > > have the functionality to
    > > change passwords (including the administrators), so
    > > if such a request is
    > > made it must be from a valid source....)
    > >
    > > But, the big question is: "what happens next?"
    > >
    > > Are they going to tell their customers that their
    > > data could had been (or
    > > was) compromised?
    > >
    > > Dinis Cruz
    > > .Net Security Consultant
    > > DDPlus
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Mail is new and improved - Check it out!
    > http://promotions.yahoo.com/new_mail


  • Next message: Dinis Cruz: "RE: Client/Server application that does not authenticate users"

    Relevant Pages

    • Re: HELP! Really strange problem w/AD and LDAP/LDIFDE
      ... FYI, I've just sent off an email with my "analysis" of what may be going on in this one, particular environment. ... Some behavior which I/we haven't been able to identify with the way that AD handles simple LDAP binds, among the 3 different username formats. ... Re-configure things into a more "orthodox" configuration. ... In particular, I've suggested/recommended that they eliminate the "2nd AD", and let me point my web app at the "1st" AD/Domain controller, since this is how the other sites are configured. ...
      (microsoft.public.windows.server.active_directory)
    • RE: SQL Database Connection Size
      ... Check your timeouts (web app, if involved, connection and command). ... > However, if the data is large> 15MB, it is prompt for username and> password. ... > Error Message ... > You do not have permission to view this directory or page using the> credentials that you supplied. ...
      (microsoft.public.dotnet.framework.adonet)
    • Re: Use IsInRole method with Domain and Username, but without password
      ... > to add users to a small database that manages privileges within a Web app. ... > The table contains the domain name and username. ... > valid in an Active Directory role. ... I am looking for a way to verify a user is in an Active ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Integrated authentication constant password promts
      ... I setup this web app to use integrated authentication. ... When i load it, it asks for username / password. ...
      (microsoft.public.inetserver.iis.security)
    • BT Email Rant
      ... Tried yahoo webmail - invalid username or password. ... Couldn't find any mention of yahoo settings, ... It wanted to download a desktop help assistant ...
      (uk.rec.motorcycles)