Home page logo

webappsec logo WebApp Sec mailing list archives

Re: unable to access web site embeds username & password
From: Andy bentley <andy () bentleyconsulting biz>
Date: Thu, 24 Jun 2004 01:36:08 -0400

Kevin R. Babcock wrote:

On Tue, 22 Jun 2004, Brown, James F. wrote:
Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.

In fact, Internet Explorer and other browsers take the username and
password out of the URL before making the request.  They are
instead placed in headers to do HTTP Basic Authentication when the request
is made, and so the username and password never go over the wire in a URL.

Basic Auth is still all in the clear. Anyone with a sniffer can see it, log it, use it.
Andy Bentley

Andy Bentley ISSA, CISSP

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]