Password sent over cleartext

[Nick Hovanic]

This is a rather elementary test but I do want to verify this is being test:

Password being sent over cleartext. If creds are sent over HTTP and not HTTPS this would flag. That is a fairly common test to do and I know it is a easy thing to test but want to make sure its in there as a  CYA 

[thc...@gmail.com]

Hi.

That's verified for HTTP authentication (Basic and Digest) with the passive scanner "Weak Authentication Method" which is bundled with "Passive scanner rules (beta)" add-on.

Is that what you are looking for?


P.S. Make sure you've the add-on installed [1] and the passive scanner enabled [2].

[1] https://code.google.com/p/zaproxy/wiki/HelpUiDialogsManageaddons
[2] https://code.google.com/p/zaproxy/wiki/HelpUiDialogsScanpolicy

Best regards.

On 07/05/14 17:32, Nick Hovanic wrote:

This is a rather elementary test but I do want to verify this is being test:

Password being sent over cleartext. If creds are sent over HTTP and not HTTPS this would flag. That is a fairly common test to do and I know it is a easy thing to test but want to make sure its in there as a  CYA 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nick Hovanic]

Yes that is what I am looking for. Don't think it works though. I made sure i updated my passive scan rules and had the passive scanner enabled. Browsed to a site on 80 and logged in and did not receive a alert as that being an item. (I did not change the threshold of the weak authentication methods)

[thc...@gmail.com]

Hi.

Which ZAP version are you using?

It works for me, both with basic and digest, I get the following alerts:
 - Authentication Credentials captured
 - Weak Authentication Method

Could you provide more details of your case? (example request/response that is sent)

Best regards.

[kingthorin+owaspzap]

I'm going to chime in with a 2cent guess here. I think what Nick is suggesting is that his app is using form authentication and that he expects an issue (alert) to be raise when the form (or form action) are permitted via HTTP (vs. HTTPS).

[thc...@gmail.com]

In that case the answer would be, no. ZAP does not alert if passwords are sent in clear text for "form authentication".

But since ZAP "now" allows to indicate the login URL that could be easily implemented.

Best regards.

On 09/05/14 19:22, kingthorin+owaspzap wrote:

I'm going to chime in with a 2cent guess here. I think what Nick is suggesting is that his app is using form authentication and that he expects an issue (alert) to be raise when the form (or form action) are permitted via HTTP (vs. HTTPS).

[Nick Hovanic]

 version 2.3.01 

I belive that kingthorin was correct.

Here is my request/response info:

POST http://example.com/archive/login.asp HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://example.com/archive/login.asp
Cookie: ASP.NET_SessionId=f0xj42vcxv1mie45hftn5c45; DefaultDS=; EnableFts=; EnableCxErmx=; ASPSESSIONIDAAQSRDAB=AHLPLIJAGADFILJFGIIDAGCL
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Host: examplehost.com


Action_IS=Validate_UID_And_Password&uname=UNAME&upass=PASS-WORD&Submit=Submit


HTTP/1.1 302 Object moved
Date: Mon, 12 May 2014 20:40:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: Lookup_Main.asp
Content-Length: 136
Content-Type: text/html
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="Lookup_Main.asp">here</a>.</body>

and i would be into the site. 

[Simon Bennetts]

We already passively check for things like autocomplete on password fields.
It should be relatively simple to also passively check for password input fields that are included in a form that looks like its going to be submitted via http.
This will be harder if javascript is used to submit the form.

Checking when the form is actually submitted is more tricky, unless we use the Login URL that thc202 suggested.
We can make some assumptions about fields called "password" and "pass" etc, but what about field "ikd93udf" ??

Cheers,

Simon

[Nick Hovanic]

Isnt it better to make an attempt to not make one at all?