Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

On 3 Aug 2006 at 0:48, Amit Klein (AKsecurity) wrote:

> Unfortunately, this doesn't help much with the basic authentication issue (not beyond the 
> first Flash technique I described earlier in this thread) - if the authentication fails, a 
> browser pop-up is displayed.
> 

Perhaps I should clarify. The two techniques I discussed, namely using LoadVars.send() and 
LoadVars.sendAndLoad() differ significantly with respect to their usability for HTTP basic 
autghentication.

The LoadVars.send() technique (http://www.webappsec.org/lists/websecurity/archive/2006-
07/msg00069.html, and particularly http://www.webappsec.org/lists/websecurity/archive/2006-
08/msg00000.html) enables to control HTTP request headers, so it can be used to throw in 
the Authorization header. Thus, if an attacker KNOWS the basic auth credentials, he/she can 
access the resource through LoadVars.send(). However, if the attacker doesn't know the 
credentials, or the value he/she knows is wrong, then a browser (explorer, anyway) pop-up 
window appears when the 401 response is returned from the server. 

The LoadVars.sendAndLoad() technique 
(http://www.webappsec.org/lists/websecurity/archive/2006-08/msg00007.html) requires 
redirection. As such, the HTTP request headers are NOT controlled (the browser manages the 
redirection, and hence the HTTP request to the final resource). If the target resource 
requires HTTP basic authentication, a 401 response will be sent by the web server, and the 
browser (explorer) will pop-up an authentication window.

-Amit

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]