Re: username and Password sent as clear text strings



In my opinion, if you want to mitigate this, don't use passwords. Use
true challenge-response. Everything else proposed here is either
obfuscation or doesn't really work in a web application environment.
A VPN around a webserver only works if every user that needs access to
that webserver can also access the vpn.

This situation should NOT be described as a 'password in cleartext'.
If you call SSL encryption (when using a decent symmetric algorithm),
then this is not a cleartext issue... You've committed a
man-in-the-middle attack by being the client AND the
man-in-the-middle... That doesn't really get you anything. If you
control the client, you control the connection. In this case, you
told your client to trust a self-signed certificate with the name of
"WebScarab" when you went to "OtherSite.

Follow NIST SP 800-63 for more guidance --
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1

Matt Zimmerman

On Wed, May 14, 2008 at 6:39 AM, <jfvanmeter@xxxxxxxxxxx> wrote:
Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited.

I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account.

Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised.

I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose this to them correcly.

Thank you in advance --John

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: SBS2003 - Terminal Server - RWW too many steps
    ... Smartcard readers are compact, dirt cheap, and circumvent 95% of the concerns with exposing RDP on the internet at-large. ... Is the revenue from this client so important to your business that its worth putting your business at risk? ... >>> 2 requires the same port redirect, does not require a listening port ... >> passwords are about as weak as you can expect....and there is little ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2003 - Terminal Server - RWW too many steps
    ... Is the revenue from this client so important to your business that its worth putting your business at risk? ... >>> 2 requires the same port redirect, does not require a listening port ... >>> newest RDP clients with policies to require them. ... >> passwords are about as weak as you can expect....and there is little ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant change security policy
    ... I'll try to get the secure passwords accepted by the client, ... While the server was just server and no ... > improved security policy that will go into effect 7 days after the system is ...
    (microsoft.public.windows.server.sbs)
  • Re: How to test that I configured httpd+Subversion wirh Path Based Authorization in the right way?
    ... served trough the Apache web server. ... client, 'svn', stores all passwrds locally in cleartext. ... MUAs or FTP passwords? ...
    (comp.os.linux.security)
  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... >> You don't need passwords to run CVS against a remote repository. ... OR having the same private key on more than one machine. ... using an untrusted client for performing challenge-response operations ...
    (FreeBSD-Security)