[Emerging-Sigs] clear text passwords
frank at knobbe.us
Thu Jan 8 18:33:59 EST 2009
On Thu, 2009-01-08 at 09:33 -0600, Jack Pepper wrote:
> I found a set of applications that were passing login credentials in
> the clear. Strangely enough we did not have a rule for spotting this
> shabby developer practice:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login
> credentials being passed in POST data"; flow:to_server,established;
> content:"&username="; nocase; content:"&password="; nocase;
> classtype:policy-violation; sid:1048480; rev:1;)
Why not also create a sister rule that checks for POST requests with
username= and password= int he URL rather than the POST data blob?
I'd also remove the & from the matches and just use username and
password... just in case one of them is the first element.
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090108/b02bec0c/attachment.bin
More information about the Emerging-sigs