[Emerging-Sigs] clear text passwords

Frank Knobbe frank at knobbe.us
Thu Jan 8 18:33:59 EST 2009

On Thu, 2009-01-08 at 09:33 -0600, Jack Pepper wrote:
> I found a set of applications that were passing login credentials in  
> the clear.  Strangely enough we did not have a rule for spotting this  
> shabby developer practice:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login  
> credentials being passed in POST data"; flow:to_server,established;  
> content:"&username="; nocase;  content:"&password="; nocase;  
> classtype:policy-violation; sid:1048480; rev:1;)

Why not also create a sister rule that checks for POST requests with
username= and password= int he URL rather than the POST data blob? 

I'd also remove the & from the matches and just use username and
password... just in case one of them is the first element.


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090108/b02bec0c/attachment.bin

More information about the Emerging-sigs mailing list