WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: unable to access web site embeds username & password

From: Andy bentley <andy () bentleyconsulting biz>
Date: Thu, 24 Jun 2004 01:36:08 -0400
Kevin R. Babcock wrote:


On Tue, 22 Jun 2004, Brown, James F. wrote:

Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.


In fact, Internet Explorer and other browsers take the username and
password out of the URL before making the request.  They are
instead placed in headers to do HTTP Basic Authentication when the request
is made, and so the username and password never go over the wire in a URL.

-Kevin
Basic Auth is still all in the clear. Anyone with a sniffer can see it, log it, use it. 
Andy Bentley


--
Andy Bentley ISSA, CISSP
508.932.9882
http://www.bentleyconsulting.biz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: