RE: pen testing https portal?

From: Nick Besant (Nick.Besant@ioko.com)
Date: Fri Sep 08 2006 - 06:08:06 EDT

• Next message: Flavio Toledo: "Re: brute-force with tsgrinder"
• Previous message: Isaac Van Name: "Re: Windows Independant GUI"
• Maybe in reply to: mismail@postmaster.co.uk: "pen testing https portal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> mismail@postmaster.co.uk
> has any ever tested a https portal?
>
>
>
> basically i have a client who has constructed a https portal
> to all works logon on from anywhere and access apps and files.
>
>
>
> how it works is the username and pw are the users AD logon
> details, the pin is emailed to the user, so for example when
> the user logs on he has a button saying generate pin!
>
>
>
> now say for example he has a pin of 1234 when hits generate
> pin a picture comes up like this
>
>
>
> 1234567890
>
> 0192837465
>
>
>
> so the user find his 1st number in his pin, and types the
> number below it, same with 234 and enters that into the pin field:
>
>
>
> username: bloggs
>
> pw: password
>
> pin: 0192
>
>
>
> the pin is one time unique! has anyone ever come across a
> setup like this?
>
>
>
> sorry for the long post!
>
>
>
> hope you can help!
>

Maybe, few questions first though;

1. You mention a picture comes up - do you mean this is a CAPTCHA[1]
style challenge ? If so, it's possible you can automate fetching the
numbers with one of the CAPTCHA analysis tools.
2. Is the PIN challenge displayed before or after a successful logon;
i.e. do you have to provide a valid username and password, then go to
the PIN screen, then get access or do you get the PIN screen together
with the logon boxes ? If it comes up first you could have a go at
doing some pattern analysis.
3. Do you have a valid login + PIN already for the testing ?
4. Have you tried session-based attacks yet ? (although they could be
changing session ID on successful login).

[1] http://en.wikipedia.org/wiki/Captchas

Regards,

Nick Besant

Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes.

Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation.

ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Flavio Toledo: "Re: brute-force with tsgrinder"
• Previous message: Isaac Van Name: "Re: Windows Independant GUI"
• Maybe in reply to: mismail@postmaster.co.uk: "pen testing https portal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:55 EDT