WebApp Sec: Re: get network user name

["Adam Tuliper" <amt () gecko-software com>]

One thing to note is unless authentication is enabled on the webserver you 
won't get this information.
Im going on the assumption that Josh didn't make note that there would be 
authentication, sounded like its already a trusted internal environment. If 
the server doesn't prompt the client for authentication, this information 
won't be sent in the request headers. I believe IE will first send the 
current logged on user named when prompted by the webserver (although I seem 
to recall this behavior was changed because of a MITM attack that you can do 
with the ntlm challenge/response but I could be wrong). If you arent going 
to actually use the information for any actual authentication you would need 
to write an isapi filter (iis assuming) etc. to prompt the client, and 
discard the result and then allow access.

----- Original Message ----- 
From: "Josh" <its.josh () verizon net>
To: "John Bond" <john.r.bond () gmail com>
Cc: <webappsec () securityfocus com>
Sent: Thursday, March 09, 2006 8:00 PM
Subject: Re: get network user name


> What language are you using and what type of server are you running?
> I've built a few apps that do what you are looking for with .NET and IIS.
>
> John Bond wrote:
> > I am trying to write an intranet program which will get the
> > network/domain login name of a user visiting my site.  As this site is
> > going to be an intranet site it can be said their is a high level of
> > trust betwwen the user and the application.  The application will need
> > to run with multible browsers and (i hope) be able to query the
> > username from multible OS's.
> >
> > Does anyone have any ideas on the best way to implment this and the
> > possible secutity considerations which should be considered.
> >
> > Thanks for your help
> >
> > -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> >
> > Watchfire's AppScan is the industry's first and leading web application 
> > security testing suite, and the only solution to provide comprehensive 
> > remediation tasks at every level of the application. See for yourself. 
> > Download AppScan 6.0 today.
> > https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
> > --------------------------------------------------------------------------
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web application 
> security testing suite, and the only solution to provide comprehensive 
> remediation tasks at every level of the application. See for yourself. 
> Download AppScan 6.0 today.
> https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------