1-866-PLYNT-24
|
Searching Memory for Secrets with WinHex
In November 2003, Abhishek wrote how we were seeing a lot of plain text passwords lying around in the memory of critical applications. A year later, Sangita explained how this issue affects web applications in the pages of Palisade.
Today, it is still one of the most common vulnerabilities we discover in our application security tests.
How do we discover this vulnerability? It’s quite simple, really.
We use WinHex , though any memory viewing tool with search features should do. WinHex lets you view the memory of any process and search through it.
After we log out of the application session, we fire up WinHex and ask it to open the browser’s memory. We zoom into the data space used by that session by searching for keywords specific to the session. Our favorite is to search for the password itself. Once WinHex focuses the sights on the right space, we skim through it to see what’s still lying around. Honestly, in 90% of the cases, the password is still there!
The risk of passwords lying in memory is that anyone who has access to the computer when the browser window is still open can grab the password, even if SSL is used.
The solution is to reset the password variable after it is posted to the server, or better still to reset it after posting its salted hash to the server. Here’s what the Appsec FAQ has to say about salted hashes:
How does the salted MD5 technique work?
Here is how the salted MD5 technique works: the database stores a MD5 hash of the password. (MD5 hash is a cryptographic technique in which the actual value can never be recovered.) When a client requests for the login page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated.
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
Monthly Archives
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
Syndication
You can read full entries of Palisade Blog using an RSS reader. Use this link —
i have a PLC(CPU FXON)and i set password for it but now i forgot my password.Please help me!Can you use winhex to find password in PLC?Thank you very much