Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] HTTP Secure Session State Management

From: "Edwards, David (JTD)" <Edwards.David2 () SAUGOV SA GOV AU>
Date: Thu, 28 Dec 2000 09:54:06 +1030
Hi folks,


-----Original Message-----
From: Mark Curphey [mailto:mark () CURPHEY COM]
Sent: Wednesday, 27 December 2000 12:56 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] HTTP Secure Session State Management

The thread started as a discussion on state management once
authentication had taken place; i.e. maintaining that
authenticated state securely without asking a user to
re-authenticate each time he requested a page.


This thread has been interesting in that it points out the
difficulties of using an essentially stateless protocol for
long lived authenticated "sessions".  Everyone is attempting
to add on some state information at the application layer
for security.

This is one thing that worries me about the growth of the
WEBDAV/NDSDAV/.NET stuff in that it leverages the
connectivity of port 80 for stuff that would normally
need real security, such as remote file and print services..


To attempt to bring this back "on-topic" a bit :-)

Has anyone looked at network penetration using WEBDAV/NDSDAV?
Or even seen a security evaluation of WEBDAV/NDSDAV?

ciao
dave
---
Dave Edwards
Justice Technology Division
Ph: +61 8 82265426 || 0408 808355
mailto: edwards.david2 () saugov sa gov au
Snail : Justice Technology Division
        GPO Box 2048, Adelaide 5001
---
The information in this e-mail may be confidential and/or legally
privileged.  Use or disclosure by anyone other than the intended
recipient is prohibited and may be unlawful.  If you have received
this e-mail in error, please advise me immediately
---
Previous By Date Next
Previous By Thread Next

Current thread: