Re: pen testing https portal?

From: Richard Braganza (iwtb0202@googlemail.com)
Date: Mon Sep 11 2006 - 14:34:59 EDT


Check out PINSafe by Swivel Secure (2 factor - unique PIN sent by email or sms)
I found it during some app testing
It looked very good apart from the way it was implemented:Badly, it
allowed DoS any logged in user, by logging them off if incorrect
numbers entered. The product was not to blame IMHO - only how it was
integrated to the web site
Best Regards
RARB

On 9 Sep 2006 19:35:47 -0000, mismail@postmaster.co.uk
<mismail@postmaster.co.uk> wrote:
> no basically 1234 is PIN they refer to, so when they click on the generate
> pin button they find the number under 1234 and enter that as there pin, the
> number they enter will always change, so if some if walking past and see's
> your logon details, they cant logon, cos its a new number you'd have type in
> again!
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT