WebApp Sec mailing list archives
Stealing Passwords via browser refresh
From: Karmendra Kohli <karmendra.kohli () paladion net>
Date: Mon, 15 Mar 2004 10:33:39 +0550
Fellow list-members, A few months ago, I had posted a query on these lists on the browser resubmitting passwords when specific pages are refreshed. Several suggestions had come up during that discussion, and since then we have seen this behaviour in more applications - including critical web applications used by banks. Applications that do not use redirection after authentication are vulnerable to their passwords being revealed if a combination of back and refresh buttons are pressed on the browser. This issue has been mentioned in the AppSec FAQ at OWASP. We have now published a more detailed description of the problem and the solution at: http://www.paladion.net/papers/Stealing_passwords_via_browser_refresh.pdf I'd like your feedback on the paper. To see archives of the discussion, please refer: http://www.securityfocus.com/archive/107/331821/2003-08-02/2003-08-08/0 Thanks! Karmendra Karmendra Kohli Paladion Networks http://www.paladion.net
Current thread:
- Stealing Passwords via browser refresh Karmendra Kohli (Mar 15)