[WEB SECURITY] tying sessions to IP addresses

Amit Klein (AKsecurity) aksecurity at hotpop.com
Sat Jun 10 11:02:13 EDT 2006


On 10 Jun 2006 at 9:33, Ryan Barnett wrote:

>     
>     1. There are many ways to bypass the HttpOnly restriction, see
>     http://www.webappsec.org/lists/websecurity/archive/2006-
>     05/msg00025.html 
> 
> 
> In the referenced link, it mentions the use of demo/test scripts to 
> possibly get access to authentication credentials. You are correct in 
> that scripts like printenv, test-cgi will dump the CGI ENV tokens and it 
> will indeed display the SessionID/Cookie contents. As for Basic Auth, 
> the browser will show the REMOTE_USER portion of Basic Auth credentials 
> so the username would be exposed. 
> 

If the Authorization header is available, then the username:password (Base64 encoded) can 
be retrieved (http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00038.html).

Moreover, some servers, e.g. IIS/6.0, provide the password in a field named AUTH_PASSWORD
(http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00050.html)

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list