[WEB SECURITY] Re: Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

On 3 May 2006 at 12:47, Amit Klein (AKsecurity) wrote:

> 
> 5. Last but not least, there's a simple technique which I don't remember was publicly
> discussed (though I may be wrong here - please let me know if this is well known):
> 
[...]
> 
> You'll see the incoming cookies in HTTP_COOKIE. I'm not sure about HTTP Basic Auth though 
> (I expected to see it in HTTP_AUTHORIZATION, but it seems that the servers handle this 
> header and do not provide it in the ENV variables).
> 

I just tested IIS/6.0. It provides the HTTP Authorization header in several environment 
variables:
- HTTP_AUTHORIZATION (as mentioned in the original posting, above)
- Part of ALL_HTTP
- Part of ALL_RAW

When the page is successfully authenticated, the credentials can also be found in:
- AUTH_USER (and LOGON_USER, REMOTE_USER) and AUTH_PASSWORD 


- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/