WebApp Sec mailing list archives
Re: HTTP sniffer for Digest Authentication?
From: Ivan Ristic <ivanr () webkreator com>
Date: Wed, 22 Sep 2004 18:13:23 +0100
Saqib.N.Ali () seagate com wrote:
That is correct, but there is still a window of opportunity while a server-generated nonce remains valid. Nonce lifetime is implementation and configuration specific. For example, on Apache it defaults to 300 seconds. If I am in position to discover Digest hashes as they travel over the wire, each hash would give meAs I understand, even though a nonce generated digest can be valid for a certain amount of time, it one-use only. In other words once a valid user authenticates, the nonce generated digest is useless to the attacker. This is how I wrote my application, but I m not sure if webservers work the same way.
Below is a fragment from my access log with a 10-second nonce. Apache asks the client to reauthenticate (with a 401 response and a new nonce) every 10 seconds. After extending nonce lifetime, I took a set of request headers from the audit log and used them in a new request, and was successfully authenticated. I could repeat the process as many times as I wanted. That is, until the original nonce expired. ivanr [22/Sep/2004:18:59:52 +0100] "GET /review/ HTTP/1.1" 401 499 ivanr [22/Sep/2004:18:59:52 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:18:59:59 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:05 +0100] "GET /review/ HTTP/1.1" 401 499 ivanr [22/Sep/2004:19:00:05 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:07 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:12 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:14 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:14 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:15 +0100] "GET /review/ HTTP/1.1" 200 573 ivanr [22/Sep/2004:19:00:15 +0100] "GET /review/ HTTP/1.1" 401 499 ivanr [22/Sep/2004:19:00:15 +0100] "GET /review/ HTTP/1.1" 200 573 -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
Current thread:
- HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 20)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 26)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)