Home page logo

webappsec logo WebApp Sec mailing list archives

RE: unable to access web site embeds username & password
From: Konstantin Ryabitsev <icon () phy duke edu>
Date: Thu, 24 Jun 2004 17:21:08 -0400

On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:
Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.

I don't think that's correct. We're talking about this format:

http://username:password () web site tld/

To my knowledge this will instruct the server to pass the login
information as part of the HTTP header in response to a 40x, not as part
of the actual URL, so it will not be stored in access logs on the
end-site, or on the proxy server.

Now, if the URL was something like this:


Then you would have been correct.

Konstantin Ryabitsev <icon () phy duke edu>
Duke University Physics

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]