Home page logo

webappsec logo WebApp Sec mailing list archives

RE: unable to access web site embeds username & password
From: Liam Quinn <liam () htmlhelp com>
Date: Fri, 25 Jun 2004 00:00:09 -0400 (EDT)

On Thu, 24 Jun 2004, Konstantin Ryabitsev wrote:

On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:
Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.

I don't think that's correct. We're talking about this format:

http://username:password () web site tld/

To my knowledge this will instruct the server to pass the login
information as part of the HTTP header in response to a 40x, not as part
of the actual URL, so it will not be stored in access logs on the
end-site, or on the proxy server.

Depending on the user-agent, the URL including username:password may be 
sent in the HTTP Referer header, which is commonly logged.  That's 
generally considered a bug in the user-agent, but it's an easy mistake to 


        Konqueror may inadvertently send authentication credentials to
    websites other than the intended website in clear text via the 
    HTTP-referer header when authentication credentials are passed as part 
    of a URL in the form of http://user:password () host/

Liam Quinn

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]