[WEB SECURITY] tying sessions to IP addresses

Amit Klein (AKsecurity) aksecurity at hotpop.com
Sat Jun 10 11:02:13 EDT 2006

On 10 Jun 2006 at 9:33, Ryan Barnett wrote:

>     1. There are many ways to bypass the HttpOnly restriction, see
>     http://www.webappsec.org/lists/websecurity/archive/2006-
>     05/msg00025.html 
> In the referenced link, it mentions the use of demo/test scripts to 
> possibly get access to authentication credentials. You are correct in 
> that scripts like printenv, test-cgi will dump the CGI ENV tokens and it 
> will indeed display the SessionID/Cookie contents. As for Basic Auth, 
> the browser will show the REMOTE_USER portion of Basic Auth credentials 
> so the username would be exposed. 

If the Authorization header is available, then the username:password (Base64 encoded) can 
be retrieved (http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00038.html).

Moreover, some servers, e.g. IIS/6.0, provide the password in a field named AUTH_PASSWORD


The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list