WebApp Sec mailing list archives
Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)
From: Peter Watkins <peterw () tux org>
Date: Wed, 3 May 2006 10:35:56 -0400
On Wed, May 03, 2006 at 03:24:18PM +0200, Achim Hoffmann wrote:
On Wed, 3 May 2006, Amit Klein (AKsecurity) wrote: !! You'll see the incoming cookies in HTTP_COOKIE. I'm not sure about HTTP Basic Auth though !! (I expected to see it in HTTP_AUTHORIZATION, but it seems that the servers handle this !! header and do not provide it in the ENV variables). Apache provides only AUTH_TYPE (Basic|Digest) and REMOTE_USER . But IIRC there're patches around to provide the full credentials. Old Netscape Enterprise was also able to provide the full credentials (at least with a homemade plug-in), not sure for its successors iPlanet and SunONE.
Regarding iPlanet/SunONE/Sun Java Web System (I like the software, but the parade of names stinks) up through version 6.1, you can definitely get at the Authorization request header with a homemade NSAPI server plugin. If you turn around and use the pblock_nvinsert() function to add that info in some fake request header in a custom SAF that runs before the Service SAF phase, you can expose the info to apps via mechanisms like CGI's getenv() and J2EE's req.getHeader(). The NSAPI code would look something like this NSAPI_PUBLIC int PW_makeAuthInfoVisible(pblock *pb, Session *sn, Request *rq) { char *authData = pblock_findval("authorization",rq->headers); char *copy; if (authData != (char*)NULL) { /* make a copy of the string for inserting */ copy = STRDUP(authData); if ( copy != (char*)NULL ) { /* make sure the user didn't send their own X-Authorization header */ param_free(pblock_remove("x-authorization",rq->headers)); /* insert; will be visible in CGI as getenv("HTTP_X_AUTHORIZATION") */ pblock_nvinsert("x-authorization",copy,rq->headers); } else { /* shouldn't happen, but always good to ensure malloc() calls work */ log_error(LOG_FAILURE,"PW-makeAuthInfoVisible",sn,rq,"MALLOC failure"); /* probably best to throw a 500 error and stop this request now */ protocol_status(sn, rq, PROTOCOL_SERVER_ERROR, NULL); return REQ_ABORTED; } } /* return REQ_NOACTION so other handlers for this phase will run */ return REQ_NOACTION; } Amit and Brian, thanks for the summaries. I still think HttpOnly is a good thing, but it's always nice to understand possible attack vectors. -Peter ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Amit Klein (AKsecurity) (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Brian Eaton (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Brian Eaton (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Pilon Mntry (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Amit Klein (AKsecurity) (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Achim Hoffmann (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Peter Watkins (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Amit Klein (AKsecurity) (May 03)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Amit Klein (AKsecurity) (May 04)
- Re: Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Amit Klein (AKsecurity) (May 05)
- Re: [WEB SECURITY] Round-up: Ways to bypass HttpOnly (and HTTP Basic auth) Brian Eaton (May 03)