Home page logo

webappsec logo WebApp Sec mailing list archives

RE: unable to access web site embeds username & password
From: "Kevin R. Babcock" <kevinb () ugcs caltech edu>
Date: Tue, 22 Jun 2004 16:42:36 -0700 (PDT)

On Tue, 22 Jun 2004, Brown, James F. wrote:

Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.

In fact, Internet Explorer and other browsers take the username and
password out of the URL before making the request.  They are
instead placed in headers to do HTTP Basic Authentication when the request
is made, and so the username and password never go over the wire in a URL.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]