WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Browser refresh sends username/password after log out -- URGE NT

From: Dean Saxe <Dean.Saxe () magnetbanking com>
Date: Tue, 5 Aug 2003 09:36:53 -0400 
One way to solve this issue is to use a nonce on the login page.  What I
have done to prevent resubmission of a form containing the user's
credentials is to include a nonce (random number) in the login form.  The
value for the nonce is set into the user's state as well.  When the form is
submitted for login the nonce in the POST is compared to the nonce in the
user's state, if they match the nonce is deleted from the user's state and
the login continues.  If they don't match (in the scenario you describe
below) the user is bounced back to the login screen again with an error
message and a new pair of nonce values.

Hope this helps.

-dhs

-----Original Message-----
From: K Kohli [mailto:krk41 () yahoo com]
Sent: Tuesday, August 05, 2003 12:56 AM
To: webappsec () securityfocus com
Subject: Browser refresh sends username/password after log out -- URGENT


I am into remote application testing for a critical
banking application. The following points will make
the question clear
1)We login and browse the banking site, do
transactions etc and then logout from there.
2)We get a page saying you have been successfully
logged out
3) Now we do a Back and refresh on the browser
window and we get a pop up "The page cannot be
refreshed without resending the information. Press
retry to sending it again ...." .
4) From here we say "Retry" and watch the data
going in a Web Proxy.
5) We are able to see the Username and password
again being sent to the server. When we compare
this request with the one sent from the first login
page( Where we give the username/password), both
are exactly the same. I feel thaat the same request
is being resend. This is a great security risk as
the credentials are being passed again.
6) Can anyone explain this behaviour and how to
avoid the resubmission of the credentials.
7) How many requests does the browser window store
in its temporary cache. 

=====
" DON'T WORRY BE HAPPY,
     EVERY NIGHT YOU HAVE SOME TROUBLE,
     IF YOU WORRY YOU MAKE IT DOUBLE,
     SO DON'T WORRY BE HAPPY NOW...."

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: