Re: [WEB SECURITY] SSL does not = a secure website

[Bill Pennington <bill () whitehatsec com>]

I recently ran into the "click on a virtual keyboard" implementation.  
This one was all JavaScript based and worked by sending the  
coordinates back to the server. It was not any more secure than a  
form-based password since the password was basically sent in a URL  
string just in the form of coordinates. Replay of the coordinates  
worked just fine. I think this product was aimed at stopping the  
"Enter your username and password" type fishing attacks.

Now it is true SSL would stop some type of network sniffer from  
seeing this traffic however I think it would be trivial for a trojan  
to hook into the IE object and just pull click events out from there.  
I mean once you can install software on your target there is not much  
that can't be done so this are simply a bump in the road from what I  
have been able to determine.



On Mar 28, 2006, at 3:16 PM, James Strassburg wrote:

> There are additional countermeasures that a web application can
> implement.  For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th  
> character of
> your password).  I should state that while I've read about these I  
> don't
> know of a web application that makes use of them.
>
> James Strassburg
>
> ________________________________
>
> From: Ryan Barnett [mailto:rcbarnett () gmail com]
> Sent: Tuesday, March 28, 2006 8:10 AM
> To: Sebastien Deleersnyder
> Cc: Web Security; webappsec () securityfocus com
> Subject: Re: [WEB SECURITY] SSL does not = a secure website
>
>
>
> On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com>
> wrote:
>
> Their is nothing that a website can do to prevent keyloggers on the
> user's machine.
>
> Well, now that I think about it, that is not entirely true...   
> Websites
> could front-end their web apps with applications such as Sygate (
> http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
> <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
> which can check the user's computer for some forms of malware  
> (including
> keyloggers) and then place the user into a Java virtual machine to  
> help
> protect user credentials.
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/


---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------