WebApp Sec mailing list archives
Re: get network user name
From: Josh <its.josh () verizon net>
Date: Thu, 09 Mar 2006 22:36:00 -0500
Correct. I left out the detailed information as it may not be relevant to the original posters environment. But to clear things up, yes, i did assume there would be authentication via ntlm or some other method. As of IE 6, the default behavior is attempt to log in with the current user's credentials when challenged (provided the client and server are in the same domain). The only other browser I've tested was Firefox which requires the user to manually log in. IIS would have to be configured to not allow anonymous access and use integrated windows authentication (or digest, but I havent tested that). .NET then as methods for easily accessing the user name.
Adam Tuliper wrote:
One thing to note is unless authentication is enabled on the webserver you won't get this information. Im going on the assumption that Josh didn't make note that there would be authentication, sounded like its already a trusted internal environment. If the server doesn't prompt the client for authentication, this information won't be sent in the request headers. I believe IE will first send the current logged on user named when prompted by the webserver (although I seem to recall this behavior was changed because of a MITM attack that you can do with the ntlm challenge/response but I could be wrong). If you arent going to actually use the information for any actual authentication you would need to write an isapi filter (iis assuming) etc. to prompt the client, and discard the result and then allow access.
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- get network user name John Bond (Mar 09)
- Re: get network user name Josh (Mar 09)
- Re: get network user name Adam Tuliper (Mar 09)
- Re: get network user name Josh (Mar 09)
- RE: get network user name Auri Rahimzadeh (Mar 09)
- Re: get network user name Adam Tuliper (Mar 09)
- <Possible follow-ups>
- Re: get network user name John Bond (Mar 10)
- Re: get network user name Josh (Mar 11)
- Re: get network user name Josh (Mar 09)