Re: username and Password sent as clear text strings
- From: Orlin Gueorguiev <orlin@xxxxxxxxxxx>
- Date: Thu, 15 May 2008 16:35:11 +0200
Hi John,
Well... you are not really sending the password in clear text.
Normally sending the password, be it encrypted or not, is thought to be an
vulnerability by itself, because if someone manages to break your encryption
(for example man in the middle as you suggested, or breaking the key, or
getting it from somewhere), he will get your root password. Thus it is
thought to use some other way of checking if the password is correct:
hashing, challange-responce, encrypting.
Cheers,
Orlin
На Wednesday 14 May 2008 12:39:51 jfvanmeter@xxxxxxxxxxx написа:
Hello everyone, and I know this might not be the most correct place to post
this questions, but I was hoping to get some feedback on what you think the
potential risk would be and how this this could be exploited.
I completed a security review of a web server, that creates a SSL
connection between the cleint and the server. Using WebScarab, I could see
that the username and password are sent as clear text strings. The log in
to the server requires a administrative account.
Do you think there is a large amount of risk, in sending the username and
password as a clear text string, since the pipe is encrypted? I was
thinking that a man-in-the-middle or sometype of session hijacking attack
could allow the account to be compromised.
I'm working on completing the report for my client and was hoping to get
some feedback from everyone so I could pose this to them correcly.
Thank you in advance --John
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- References:
- username and Password sent as clear text strings
- From: jfvanmeter
- username and Password sent as clear text strings
- Prev by Date: RE: username and Password sent as clear text strings
- Next by Date: RE: username and Password sent as clear text strings
- Previous by thread: RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs?
- Next by thread: Re: username and Password sent as clear text strings
- Index(es):
Relevant Pages
|
|
