lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20100225164029.GE2153@sentinelchicken.org>
Date: Thu, 25 Feb 2010 08:40:29 -0800
From: "Timothy D\. Morgan" <tmorgan@...curity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Form-based HTTP Authentication Proof of Concept


Hello,

As a follow up to my paper advocating HTTP authentication in place of
cookies [1], I've built a simple sample application which demonstrates
how a combination of XMLHttpRequest and response code tricks can be 
used to achieve form-based login, logout, and authenticated password
changes in the four most popular browsers:                   
  http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip

Note that this is achieved without using any checks to determine what 
browser is being used.

While this is promising, I still think we should have an HTTP-based 
log out mechanism.  In addition, the proposed W3C change to 
XMLHttpRequest authentication behavior will make this code much 
simpler.

cheers,
tim


1. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ