|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
admin
systemstates.net
Date: Sun Jun 29 2008 - 07:18:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> -------- Original Message --------
> Subject: Pentesting Single Sign-On Solutions
> From: Joseph McCray <joelearnsecurityonline.com>
> Date: Fri, June 27, 2008 9:02 am
> To: pen-test <pen-testsecurityfocus.com>
>
>
> Figured I'd check in with all of you out there in Pentest land.
>
> Have any of you ever pentested a single sign-on solution. I have an
> opportunity to test one soon. I'm looking for ideas, and feedback from
> anyone that's done this or something similar.
The problem is that 'single sign-on' has been hijacked to mean all sorts
of things - from many systems which all have synchronized passwords
(arguably wrong usage), to many systems which all authenticate against a
single database, such as LDAP (also, arguably wrong), to systems which
trust a central authority when it passes them your username, through to
"real" single sign-on like kerberos.
Personally, I think that only the kerberos-type solutions are real
single sign-on, but I have heard all of the above being described as
such. So, first question is, true single sign-on, or marketing speak ?
Kerberos is pretty robust in many ways, but obviously weak passwords can
still be a problem. Also, if you can compromise a machine, you may be
able to steal tokens - though these will only be valid for a limited
time.
cheers,
--
www.systemstates.net - penetration test / IDS / incident response
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]