Penetration Testing mailing list archives
Re: PEN Testing a everchanging realm in apache
From: "J. J. Horner" <jhorner () 2jnetworks com>
Date: Thu, 30 May 2002 14:13:01 -0400
* John_Leitch () NAI com (John_Leitch () NAI com) [020530 12:55]:
Hi, Thanks for that but the ever changing realm is as follows..... When a connection is established to the server and you are presented with a login prompt the realm is different everytime. Its almost like the server has / is using /dev/random to assign the realm so its never the same.
I'm not exactly sure how this would work, as a browser must have a Realm/uid/password trio to successfully authenticate against a server. If the Realm constantly changes, every authenticated gif, page, or button would request a new uid/password for the new realm. This would make the website a hassle to use. More information on this would be useful, as this sounds definitely more dynamic that is reasonably possible. If each page were only text and no images, this could work, although it would make normal browsing impossibly tedious. If each transaction only requests a .doc or a .pdf, or something similarly self-contained, the changing Realm won't affect you much, unless you assume that each user has a new uid/password string for each realm. If each user doesn't have a unique uid/password for each realm, then there must be some uid/password pairs similar to each realm, and therein lies your possible brute-force possibility. Thanks, JJ -- J. J. Horner Web Server Security Professional jhorner () 2jnetworks com
Attachment:
_bin
Description:
Current thread:
- PEN Testing a everchanging realm in apache John_Leitch (May 29)
- Re: PEN Testing a everchanging realm in apache Vladimir Parkhaev (May 30)
- <Possible follow-ups>
- RE: PEN Testing a everchanging realm in apache John_Leitch (May 30)
- Re: PEN Testing a everchanging realm in apache David Litchfield (May 30)
- Re: PEN Testing a everchanging realm in apache J. J. Horner (May 30)