[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
- From: "Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>
- Subject: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
- Date: Tue, 01 Aug 2006 01:27:58 +0200
On 31 Jul 2006 at 12:25, Jeremiah Grossman wrote:
>
> Brute Forcing Basic HTTP Auth:
> HTTP Basic Auth has proven to be a worthy adversary when it come to
> JavaScript Malware. If a target web server has a default u/p basic
> auth, like so many DSL routers, and the victim is running Firefox/
> Mozilla, your gold. Firefox/Mozilla support the url notation (http://
> user:pass@host/), while Internet Explorer (IE) does not. So forcing
> an authenticated Basic Auth request with IE is not possible (as best
> we can tell).
How about using Flash? you can then force the Authorization request header (I guess - I
didn't try it), a-la my "Forging HTTP request headers with Flash":
http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html
(+ errata at http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00084.html)
-Amit
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|