If your firm is like most, they will have activity audit requirements for
infrastructue and user activity.
Simply put, you can't get much reliability in audit trails by logging and
securing things at an infrastructure level, then assume that the application
is safely audited, user-level auditing also needs to occur in the
applications layer.
Credentials passed in the clear are invitations for misuse of credentials,
invalidating the value of any application audits.
Anything from a simple user/password/sessionID hash up to an electronic
signature solution (not necessarily PKI based) will do, usin SSL to
encapsulate the traffic away from sniffing eyes.
Lyal
-----Original Message-----
From: Jeff [mailto:pen_tester@adelphia.net]
Sent: Saturday, 26 February 2005 1:38 PM
To: webappsec@securityfocus.com
Subject: Passing Credentials in the clear- Possible fixes
I'm conducting an application assessment for a portal app that is going to
be rolled out shortly. All users allowed access to the home page without
authenticating. To get to the customizable portlets they must authenticate.
I discovered today that the user credentials are being passed in the clear.
When I present this finding I'm expecting some push back from the
application team about how "it's not their problem. It's up to the
infrastructure group to come up with a solution (i.e. https enabled servers,
network encryption devices, etc.)"
My question is this - Are there any possible solutions I could present to
the application team as to how they can fix the problem via a coding change
instead of letting them lay the responsibility for securing their
information off on another group? The portal is Java based if that makes a
difference.
Any info appreciated.
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.0 - Release Date: 2/25/2005
