Re: username and Password sent as clear text strings



Good Morning Everyone and thank you all for you input.

I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning.

I guess part of the problem I'm having with this, is the web app is owned by a very large company, and I just thought they would take the extra measure of hashing or encrypting the password.

Take Care and Have Fun --John

-------------- Original message ----------------------
From: Todd Haverkos <fsbo@xxxxxxxxxxxx>
jfvanmeter@xxxxxxxxxxx writes:

Hello everyone, and I know this might not be the most correct place to post
this questions, but I was hoping to get some feedback on what you think the
potential risk would be and how this this could be exploited.

I completed a security review of a web server, that creates a SSL connection
between the cleint and the server. Using WebScarab, I could see that the
username and password are sent as clear text strings. The log in to the server
requires a administrative account.

Do you think there is a large amount of risk, in sending the username and
password as a clear text string, since the pipe is encrypted? I was thinking
that a man-in-the-middle or sometype of session hijacking attack could allow
the account to be compromised.

I'm working on completing the report for my client and was hoping to get some
feedback from everyone so I could pose this to them correcly.

Thank you in advance --John

Hi John,

Webscarab, like all intercepting web proxy programs I've used on
https:// sites generally work by performing an intentional "man in the
middle" between your web browser and the server in order to be able to
show you what's being submitted to the server. Unless your browser is
broken or badly configured, you should have gotten a certificate
mismatch warning when first conencting to the site, and examination of
the certificate that was presented to the browser will have Webscarab
written all over.

With that in mind are you _sure_ things are being passed in clear
text, or are you just saying "hey I can read these form submission
values just fine in webscarab!" If the latter, I don't think there's
necessarily a concern, because by the nature of the tool you're using
and you're okay'ing the certificate warning, you're letting the tool
sees these values.

Best Regards,
--
Todd Haverkos
http://www.linkedin.com/in/toddhaverkos





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: SSL and Server Certificates
    ... determine whether the server itself is even listening on port 443. ... so 'view certificate' & examine its properties. ... with the certificate may prevent a browser from connecting altogether. ... Insure host headers & SSL are not in use, unless the site using SSL is ...
    (microsoft.public.inetserver.iis.security)
  • Re: username and Password sent as clear text strings
    ... Webscarab, like all intercepting web proxy programs I've used on ... Unless your browser is ... mismatch warning when first conencting to the site, ... the certificate that was presented to the browser will have Webscarab ...
    (Pen-Test)
  • Re: SBS 2003 and self signed SSL certificate
    ... The error in the browser is: ... box you get a small dialog box that says: The security certificate presented ... or intercept any data you send to the server. ... then when I click on the RWW I get a security warning about going ...
    (microsoft.public.windows.server.sbs)
  • Re: Secure automation?
    ... To provide secured web services, a server SSL certificate is ... The downside with this is that the web server will ask ... To be able to verify a server certificate, a web browser needs to ...
    (comp.security.unix)
  • Re: Secure automation?
    ... To provide secured web services, a server SSL certificate is ... The downside with this is that the web server will ask ... To be able to verify a server certificate, a web browser needs to ...
    (comp.security.unix)