Home page logo

webappsec logo WebApp Sec mailing list archives

Re: unable to access web site embeds username & password
From: Robert Hajime Lanning <robert.lanning () gmail com>
Date: Wed, 23 Jun 2004 22:15:10 -0700

On Tue, 22 Jun 2004 16:42:36 -0700 (PDT), Kevin R. Babcock
<kevinb () ugcs caltech edu> wrote:
In fact, Internet Explorer and other browsers take the username and
password out of the URL before making the request.  They are
instead placed in headers to do HTTP Basic Authentication when the request
is made, and so the username and password never go over the wire in a URL.


Well, it does not go over in the GET/POST statement, but usually in
the same packet as
part of the headers following the GET/POST.  And it is in plain text
(or BASE64 encoded).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]