WebApp Sec mailing list archives

RE: Prevent security bypass

From: "Vinny Bedus" <vbedus () BitChangers com>
Date: Tue, 4 Feb 2003 19:13:57 -0500

Chris,
You could create an ISAPI filter that would do the trick.  You basically
could have the ISAPI filter check for the existence of some
authentication cookie, etc.  There may already be existing ones out
there as well.

You could also use Site Server's authentication component, or commerce
server should be able to do the trick (both very expensive solutions).

Hope it helps.

Vinny Bedus
http://www.BitChangers.com/

-----Original Message-----
From: David Cameron [mailto:dcameron () itis-now com] 
Sent: Tuesday, February 04, 2003 5:50 PM
To: webappsec () securityfocus com
Subject: RE: Prevent security bypass

They are the client so they control the client side code. Javascript,
VBScript and any other client side solutions will only stop the casual
browser, no more.

regards
David Cameron
nOw.b2b
dcameron () itis-now com

-----Original Message-----
From: Igor Guarisma [mailto:iguarism () yahoo com]
Sent: Wednesday, 5 February 2003 8:43 AM
To: 'webappsec () securityfocus com'
Subject: Re: Prevent security bypass


There might be a way if you use cookies and
JavaScripts


-----
Igor Guarisma
Universidad Centra de Venezuela
Facultad de Ciencias
EScuela de Computación


 --- Chris Neil <Chris.Neil () abs-ltd com> escribió: > I
am new to this mailing list and so hope this

conforms to the guidelines as
I read them.

How do people address the issue of non-authenticated
users requesting html
pages directly from a site without logging in?

FYI. This is an IIS server. Our asp pages check the
user is logged in, but
with html pages we cannot.
My only idea so far is to convert all our html pages
to asp. Is there
anything less drastic?


Chris Neil
  Security Officer
  Chris.Neil () abs-ltd com
-------------------------------------------
ABS 
  Tel:     +44 (0) 1993 771221
  Fax:    +44 (0) 1993 775081
-------------------------------------------


=====


_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com

Current thread:

Re: Prevent security bypass, (continued)
- Re: Prevent security bypass Ulrich P. (Feb 05)
  - Re: Prevent security bypass Chris Travers (Feb 04)
  - Re: Prevent security bypass c3rb3r (Feb 04)
  - Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
  - Re: Prevent security bypass Ernie Nelson (Feb 07)
    - HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
    - RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
  - RE: Prevent security bypass Vinny Bedus (Feb 05)
    - Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
  - Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
  - RE: Prevent security bypass TUER, DON (Feb 06)
    - Re: Prevent security bypass Alex Russell (Feb 06)
    - Re: Prevent security bypass Adrian Wiesmann (Feb 06)
    - Re: Prevent security bypass Chris Travers (Feb 07)
- RE: Prevent security bypass David Mowers (Feb 07)

(Thread continues...)