WebApp Sec mailing list archives
Re: 302 Redirection (Not just for successful login attempts)
From: "Ryan Barnett" <rcbarnett () gmail com>
Date: Wed, 5 Apr 2006 17:54:24 -0400
Correct. The returned HTTP status codes is but one of many methods of enumerating valid account credentials. The most common mistake is differences in the error message details provided to the user upon successful/failed login attempts. Web apps should not inform the user whether or not the problem was with the username or password, but rather that they failed to authenticate. The 2nd most obvious sign is passing parameters in URL or cookie variables (such as STATUS=Authenticated). This being said, there are still problems with using 302 redirects and that it is still possible to enumerate successful/unsuccessful authentication attempts based on the Location header data returned with the 302 status code. If the authentication fails, it will send a 302 and the location most likely will be back to the login page. A successful attempt, however will send a 302 but the new Location will be something other than the login page. This is enough data for a scanner/script to automate and trigger on. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 4/5/06, Pilon Mntry <pilonmntry () yahoo com> wrote:
We know that a web application having an authentication page (form-based) should send a 302 Redirection response upon a successful login attempt. (this is to avoid the possibility of a re-post by the attacker) However, the same should be applied to unsuccessful login attempts, too. Because if a client enters wrong credentials and get an error page with 200 OK, a re-post is possible, only providing the wrong credentials to an attacker. And these wrong credentials might just have been slightly mistyped (for example, because of wrong keyboard layout or capslock) and still valuable to an attacker on a machine with public access left open by a frustrated victim (due to unsuccessful login attempts) ... -pilon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- 302 Redirection (Not just for successful login attempts) Pilon Mntry (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Ryan Barnett (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Rogan Dawes (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Hemil (Apr 06)
- Re: enumerating users and an AJAX example Pilon Mntry (Apr 07)
- Re: 302 Redirection (Not just for successful login attempts) Dave Ferguson (Apr 07)
- Re: 302 Redirection (Not just for successful login attempts) Rogan Dawes (Apr 05)
- Re: 302 Redirection (Not just for successful login attempts) Ryan Barnett (Apr 05)