[WEB SECURITY] IP address change: relogin

Bil Corry bil at corry.biz
Fri May 23 19:17:34 EDT 2008


Stephan Wehner wrote on 5/22/2008 2:20 PM: 
> On Wed, May 21, 2008 at 8:27 PM, Bil Corry <bil at corry.biz> wrote:
>> One final method that I've contemplated, but haven't had time to build a
>> PoC, is to use HTTP Digest Authentication and use XHR to passively
>> "authenticate" the user with the username being their session ID, and the
>> password a random value.  Then using Digest's nonce, you can prevent replay
>> attacks, etc.  The downside is you have to initially seed the browser with...
> 
> Similar to this one?
> 
> http://www.peej.co.uk/articles/http-auth-with-html-forms.html

Yes, the code I use is below; it uses jQuery for the XHR request.


- Bil




<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
		<title>Passive Login Demo</title>
		<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.3.min.js" type="text/javascript"></script>
		<script language="JavaScript" type="text/javascript">
			$(function(){
				$.ajax({
					url: "passwordCheck.lasso",
					cache: false,
					async: false,
					username: "myusername",
					password: "mypassword",
					success: function(html){
						window.location="loggedin.lasso";
					},
					error: function(html){
						alert("Sorry, unable to log you in.");
						return false;
					}
				});
			});
		</script>
	</head>
	<body style="background: white;">
		<h1>Please wait...</h1>
		You are being authenticated.  Please turn on JavaScript if you see this message for longer than 30 seconds.
	</body>
</html>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list