[WEB SECURITY] JavaScript Malware, port scanning, and beyond

Amit Klein (AKsecurity) aksecurity at hotpop.com
Mon Jul 31 19:27:58 EDT 2006


On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:

> 
> Brute Forcing Basic HTTP Auth:
> HTTP Basic Auth has proven to be a worthy adversary when it come to  
> JavaScript Malware. If a target web server has a default u/p basic  
> auth, like so many DSL routers, and the victim is running Firefox/ 
> Mozilla, your gold. Firefox/Mozilla support the url notation (http:// 
> user:pass at host/), while Internet Explorer (IE) does not. So forcing  
> an authenticated Basic Auth request with IE is not possible (as best  
> we can tell). 

How about using Flash? you can then force the Authorization request header (I guess - I 
didn't try it), a-la my "Forging HTTP request headers with Flash":

http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html
(+ errata at http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00084.html)

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list