302 Redirection (Not just for successful login attempts)

[Pilon Mntry <pilonmntry () yahoo com>]

 We know that a web application having an
authentication page (form-based) should send a 302
Redirection response upon a successful login attempt.
(this is to avoid the possibility of a re-post by the
attacker)

 However, the same should be applied to unsuccessful
login attempts, too. Because if a client enters  wrong
credentials and get an error page with 200 OK, a
re-post is possible, only providing the wrong
credentials to an attacker. And these wrong
credentials might just have been slightly mistyped
(for example, because of wrong keyboard layout or
capslock) and still valuable to an attacker on a
machine with public access left open by a frustrated
victim (due to unsuccessful login attempts) ...

-pilon

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------