Penetration Testing mailing list archives

Re: [PEN-TEST] HTML source code and authentication

From: Martijn Prummel <punisher () ZEGMAAR NL>
Date: Tue, 19 Dec 2000 14:40:03 +0100

Chris Tobkin wrote:

click SUBMIT, but the Hidden Fields are Bad Thing (tm).


Agreed. I wouldn't use forms for authentication at all.
We also have a thing called HTTPAuth :)
Just add a http_auth_required header.
This means a 401 webserv response with a header called
WWW-Authenticate: basic realm="Blahblah"

This will popup a browser window asking for user/pass. The content
of this can be read by looking into the auth header sent back to the
server. This is MIME64 encoded, so not too hard :)

Grtz,
Martijn
--
# whatis life
life: nothing appropriate

Current thread:

[PEN-TEST] HTML source code and authentication Skinner, Tim L. (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Bennett Todd (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication c0ncept (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication NetW3.COM Consulting (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] HTML source code and authentication Adams, Gavin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Yonatan Bokovza (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Chris Tobkin (Dec 18)
  - Re: [PEN-TEST] HTML source code and authentication Martijn Prummel (Dec 19)