[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
- From: Achim Hoffmann <kirke11@xxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
- Date: Wed, 3 May 2006 15:24:18 +0200 (MEST)
On Wed, 3 May 2006, Amit Klein (AKsecurity) wrote:
!! You'll see the incoming cookies in HTTP_COOKIE. I'm not sure about HTTP Basic Auth though
!! (I expected to see it in HTTP_AUTHORIZATION, but it seems that the servers handle this
!! header and do not provide it in the ENV variables).
Apache provides only AUTH_TYPE (Basic|Digest) and REMOTE_USER .
But IIRC there're patches around to provide the full credentials.
Old Netscape Enterprise was also able to provide the full credentials (at least
with a homemade plug-in), not sure for its successors iPlanet and SunONE.
!! Bottom line: there are many known attacks against HttpOnly (and
!! against Basic auth), that is, many known ways to elevate "standard" XSS condition to
!! be able to grab session info/credentials stored in HttpOnly cookies/HTTP Basic auth.
hmm, how do you use XSS to grab Basic auth?
{-: Achim
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
Brought to you by http://www.webappsec.org
Search this site
|