Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: unable to access web site embeds username & password

RE: unable to access web site embeds username & password

From: Konstantin Ryabitsev <icon_at_phy.duke.edu>
Date: Thu, 24 Jun 2004 17:21:08 -0400

On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:
> Keep in mind that passing passwords on the URL like this horribly
> insecure. Your password will wind up sitting in web server logs, proxy
> server logs and will in some cases get sent off to other sites via the
> http referer mechanism.

I don't think that's correct. We're talking about this format:

http://username:password@web.site.tld/

To my knowledge this will instruct the server to pass the login
information as part of the HTTP header in response to a 40x, not as part
of the actual URL, so it will not be stored in access logs on the
end-site, or on the proxy server.

Now, if the URL was something like this:

http://web.site.tld/page.php?username=john&password=johndoe

Then you would have been correct.

Regards, 

-- 
Konstantin Ryabitsev <icon_at_phy.duke.edu>
Duke University Physics

Received on Jun 25 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]