Re: 302 Redirection (Not just for successful login attempts)

["Ryan Barnett" <rcbarnett () gmail com>]

Correct.  The returned HTTP status codes is but one of many methods of
enumerating valid account credentials.  The most common mistake is
differences in the error message details provided to the user upon
successful/failed login attempts.  Web apps should not inform the user
whether or not the problem was with the username or password, but
rather that they failed to authenticate.  The 2nd most obvious sign is
passing parameters in URL or cookie variables (such as
STATUS=Authenticated).

This being said, there are still problems with using 302 redirects and
that it is still possible to enumerate successful/unsuccessful
authentication attempts based on the Location header data returned
with the 302 status code.  If the authentication fails, it will send a
302 and the location most likely will be back to the login page.  A
successful attempt, however will send a 302 but the new Location will
be something other than the login page.  This is enough data for a
scanner/script to automate and trigger on.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 4/5/06, Pilon Mntry <pilonmntry () yahoo com> wrote:
>  We know that a web application having an
> authentication page (form-based) should send a 302
> Redirection response upon a successful login attempt.
> (this is to avoid the possibility of a re-post by the
> attacker)
>
>  However, the same should be applied to unsuccessful
> login attempts, too. Because if a client enters  wrong
> credentials and get an error page with 200 OK, a
> re-post is possible, only providing the wrong
> credentials to an attacker. And these wrong
> credentials might just have been slightly mistyped
> (for example, because of wrong keyboard layout or
> capslock) and still valuable to an attacker on a
> machine with public access left open by a frustrated
> victim (due to unsuccessful login attempts) ...
>
> -pilon
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. Change the way you
> think about application security testing - See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------