[WEB SECURITY] Form-based HTTP Authentication Proof of Concept

SneakySimian sneaky.simian at gmail.com
Sun Feb 28 14:25:41 EST 2010


I understand that developers are having troubles properly handling
sessions and cookies in general. I absolutely agree with that. But
these tricks you mention, what's to stop developers from not coding
those correctly?

My point here is that regardless of what the next big authentication
method is, developers still need education in how to properly handle
that method. Cookies in and of themselves are just fine, but
developers need to be educated in how to properly use them.

As for the suggestion of interface changes to digest modals, the end
user has just started understanding that the yellow or green bar means
it is "secure." This is absolutely going to confuse them if these
dialog boxes are going to contain more than one FQDN and they are
supposed to understand what that means. That's just one UI aspect. I
understand that this is not concrete, but we need something that's
less confusing to the end user.

I also have a problem with these JavaScript methods you mention. First
of all, I think we can both agree that client-side anything is a
no-go. Then you have weird people like me who like to use NoScript
until we can determine whether or not we can trust a site. Webapps are
bad enough when they require AJAX (see .NET apps) for simple
navigation, now we need AJAX stuff for logging in?

I think before we can start talking about moving to a different
authentication model, we need to first educate developers in what they
are doing wrong now. From what I understand of this paper (please
correct me if I'm misunderstanding), there's a lot that can go wrong
if done incorrectly.

On Thu, Feb 25, 2010 at 8:09 AM, Timothy D. Morgan
<tmorgan at vsecurity.com> wrote:
>
> Hello,
>
> As a follow up to my paper advocating HTTP authentication in place of
> cookies [1], I've built a simple sample application which demonstrates
> how a combination of XMLHttpRequest and response code tricks can be
> used to achieve form-based login, logout, and authenticated password
> changes in the four most popular browsers:
>  http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
>
> Note that this is achieved without using any checks to determine what
> browser is being used.
>
> While this is promising, I still think we should have an HTTP-based
> log out mechanism.  In addition, the proposed W3C change to
> XMLHttpRequest authentication behavior will make this code much
> simpler.
>
> cheers,
> tim
>
>
> 1. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list