HTTP-Digest Authentication

Web Hacking
◾ 
317
chapter (Chapter 9). It uses MD5 hashing algorithm to encrypt the credentials, nonce (a random 
value) and the url, and they are sent to the server.
However, MD5 hashes are also prone to vulnerabilities and could be cracked easily. So this 
is not the protocol to rely on for authentication, although it does make it a bit difficult for an 
attacker, since the attacker has to crack the MD5 hash to obtain the credentials.
Form-Based Authentication
Form-based authentication is the recommended method for authenticating a user. The credentials 
are submitted by either POST or GET method over an HTTP or HTTPS protocol. Although 
it’s not a good security practice to send sensitive credentials by GET method as they can be easily 
leaked via referrer header or other attack, we still see it being used.
When the credentials are submitted, the server compares them with the ones that are saved in 
the database and authenticates the user if they are correct. If the Webmaster is using an encryption 
such as MD5 hash to store the passwords, then the passwords that are submitted by users are first 
encrypted to MD5 or the hashing algorithm that the Webmaster is using and then compared to 
the ones that are stored in the database.
HTTP is a plain text protocol, which means that everything that is sent across it goes as plain 
text, which leaves it vulnerable to eavesdropping or MITM attacks. Therefore, for authentication 
purposes and where sensitive data are transmitted, “HTTPS” is used although some websites don’t 
implement it on all pages since it takes much of server resources.
Insufficient transport layer protection
was in the list of OWASP top 10 for 2012 although it was 
eliminated from the list in 2013. There are tons of websites that do implement HTTPS but not in 
a proper way. They use HTTP for the initial log-in and then change it to HTTPS.
Since the initial part of the communication is left unencrypted, it’s still vulnerable to eaves-
dropping or MITM attack. An example follows:
Etsy.com is a popular website and secures a good spot in Alexa Top 200, and it uses https for 
encrypted communications.
However, the website doesn’t implement it correctly; when we try to log in to the website and 
click on the “Sign in” button, the form loads upon http, and after we enter the credentials, it is 
changed to https, which means that the initial communication is left unencrypted.

318
◾ 
Ethical Hacking and Penetration Testing Guide
Another issue that I often see with websites is using old and deprecated versions of SSL. SSL 2.0 
was deprecated long time ago, since lots of weaknesses were found in the protocol as it used weak 
ciphers. Today, it’s recommended to use SSL 3.0 or TLS 1.0, though there have been known issues 
with SSL 3.0. It’s the same with TLS 1.0, so TLS 1.2 is recommended instead. However, we don’t 
see it being implemented much since old browsers don’t support it.
We can use a neat tool in BackTrack called “SSL Scan,” which would help us identify websites 
that use outdated SSL versions. Since this is already discussed in the “Information Gathering 
Techniques” chapter (Chapter 3), it won’t be covered here; instead we will talk about a great Firefox 
add-on called “Calomel Scan”, which can easily help you identify weak implementation of SSL.
Based on the SSL cipher strength, the scan gives a grade color; normally the grade that shows 
red color indicates a weak implementation of SSL in your application.

Web Hacking
◾ 

Yüklə 22,44 Mb.

Dostları ilə paylaş: