Re: username and Password sent as clear text strings
- From: jfvanmeter@xxxxxxxxxxx
- Date: Tue, 20 May 2008 08:27:13 +0000
I never called it a password in clear text, I said it was a clear text string that contained a password. In my mind that is different then a clear text password.
Just my two shiney centavos --John
-------------- Original message ----------------------
From: "Matthew Zimmerman" <mzimmerman@xxxxxxxxx>
In my opinion, if you want to mitigate this, don't use passwords. Use
true challenge-response. Everything else proposed here is either
obfuscation or doesn't really work in a web application environment.
A VPN around a webserver only works if every user that needs access to
that webserver can also access the vpn.
This situation should NOT be described as a 'password in cleartext'.
If you call SSL encryption (when using a decent symmetric algorithm),
then this is not a cleartext issue... You've committed a
man-in-the-middle attack by being the client AND the
man-in-the-middle... That doesn't really get you anything. If you
control the client, you control the connection. In this case, you
told your client to trust a self-signed certificate with the name of
"WebScarab" when you went to "OtherSite.
Follow NIST SP 800-63 for more guidance --
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1
Matt Zimmerman
On Wed, May 14, 2008 at 6:39 AM, <jfvanmeter@xxxxxxxxxxx> wrote:
Hello everyone, and I know this might not be the most correct place to postthis questions, but I was hoping to get some feedback on what you think the
potential risk would be and how this this could be exploited.
between the cleint and the server. Using WebScarab, I could see that the
I completed a security review of a web server, that creates a SSL connection
username and password are sent as clear text strings. The log in to the server
requires a administrative account.
password as a clear text string, since the pipe is encrypted? I was thinking
Do you think there is a large amount of risk, in sending the username and
that a man-in-the-middle or sometype of session hijacking attack could allow
the account to be compromised.
feedback from everyone so I could pose this to them correcly.
I'm working on completing the report for my client and was hoping to get some
Thank you in advance --John
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Prev by Date: Re: Vuln Scanner for Web App Source Code
- Next by Date: Re: dns ptr
- Previous by thread: RE: username and Password sent as clear text strings
- Next by thread: Re: username and Password sent as clear text strings
- Index(es):
Relevant Pages
|
|
