[Emerging-Sigs] clear text passwords

Matt Jonkman jonkman at jonkmans.com
Thu Jan 8 11:02:29 EST 2009


Good idea, should be interesting. I'll drop this into policy.

Matt

Jack Pepper wrote:
> I found a set of applications that were passing login credentials in  
> the clear.  Strangely enough we did not have a rule for spotting this  
> shabby developer practice:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login  
> credentials being passed in POST data"; flow:to_server,established;  
> content:"&username="; nocase;  content:"&password="; nocase;  
> classtype:policy-violation; sid:1048480; rev:1;)
> 
> I have taken the assumption that username and password are the given  
> fieldnames, but in reality they could be anything.
> 
> jp
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list