Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)

[Peter Watkins <peterw () tux org>]

On Wed, May 03, 2006 at 03:24:18PM +0200, Achim Hoffmann wrote:
> On Wed, 3 May 2006, Amit Klein (AKsecurity) wrote:
>
> !! You'll see the incoming cookies in HTTP_COOKIE. I'm not sure about HTTP Basic Auth though
> !! (I expected to see it in HTTP_AUTHORIZATION, but it seems that the servers handle this
> !! header and do not provide it in the ENV variables).
>
> Apache provides only AUTH_TYPE (Basic|Digest) and REMOTE_USER .
> But IIRC there're patches around to provide the full credentials.
> Old Netscape Enterprise was also able to provide the full credentials (at least
> with a homemade plug-in), not sure for its successors iPlanet and SunONE.

Regarding iPlanet/SunONE/Sun Java Web System (I like the software, but the
parade of names stinks) up through version 6.1, you can definitely get at 
the Authorization request header with a homemade NSAPI server plugin. If 
you turn around and use the pblock_nvinsert() function to add that info in 
some fake request header in a custom SAF that runs before the Service SAF 
phase, you can expose the info to apps via mechanisms like CGI's getenv() 
and J2EE's req.getHeader(). The NSAPI code would look something like this 

NSAPI_PUBLIC int PW_makeAuthInfoVisible(pblock *pb, Session *sn, Request *rq) {
  char *authData = pblock_findval("authorization",rq->headers);
  char *copy;
  if (authData != (char*)NULL) {
    /* make a copy of the string for inserting */
    copy = STRDUP(authData);
    if ( copy != (char*)NULL ) {
      /* make sure the user didn't send their own X-Authorization header */
      param_free(pblock_remove("x-authorization",rq->headers));
      /* insert; will be visible in CGI as getenv("HTTP_X_AUTHORIZATION") */
      pblock_nvinsert("x-authorization",copy,rq->headers);
    } else {
      /* shouldn't happen, but always good to ensure malloc() calls work */
      log_error(LOG_FAILURE,"PW-makeAuthInfoVisible",sn,rq,"MALLOC failure");
      /* probably best to throw a 500 error and stop this request now */
      protocol_status(sn, rq, PROTOCOL_SERVER_ERROR, NULL);
      return REQ_ABORTED;
    }
  }
  /* return REQ_NOACTION so other handlers for this phase will run */
  return REQ_NOACTION;
}

Amit and Brian, thanks for the summaries. I still think HttpOnly is a good
thing, but it's always nice to understand possible attack vectors.

-Peter


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------