[Emerging-Sigs] clear text passwords

Matt Jonkman jonkman at jonkmans.com
Thu Jan 8 11:02:29 EST 2009

Good idea, should be interesting. I'll drop this into policy.


Jack Pepper wrote:
> I found a set of applications that were passing login credentials in  
> the clear.  Strangely enough we did not have a rule for spotting this  
> shabby developer practice:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login  
> credentials being passed in POST data"; flow:to_server,established;  
> content:"&username="; nocase;  content:"&password="; nocase;  
> classtype:policy-violation; sid:1048480; rev:1;)
> I have taken the assumption that username and password are the given  
> fieldnames, but in reality they could be anything.
> jp

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list