WebApp Sec mailing list archives
Re: Browser refresh sends username/password after log out -- URGENT
From: Imre Kertesz <ikertesz () fastq com>
Date: Tue, 05 Aug 2003 08:25:02 -0700
If I understand this correctly, the application is allowing cacheing of the credentials. One way to discourage this, from the application's perspective, is to include a script function such as <FORM AUTOCOMPLETE="off"> within the splash page script, as well as the appropriate Cache-Control directive (e.g. "Cache-Control: no-cache"). Just the fact that this cacheing of credentials is possible within a banking application makes the app a potential target for attackers who may see it as a treasure trove of vulnerabilities. -I K Kohli wrote:
I am into remote application testing for a critical
banking application. The following points will make
the question clear
1)We login and browse the banking site, do
transactions etc and then logout from there.
2)We get a page saying you have been successfully
logged out
3) Now we do a Back and refresh on the browser
window and we get a pop up "The page cannot be
refreshed without resending the information. Press
retry to sending it again ...." .
4) From here we say "Retry" and watch the data
going in a Web Proxy.
5) We are able to see the Username and password
again being sent to the server. When we compare
this request with the one sent from the first login
page( Where we give the username/password), both
are exactly the same. I feel thaat the same request
is being resend. This is a great security risk as
the credentials are being passed again.
6) Can anyone explain this behaviour and how to
avoid the resubmission of the credentials.
7) How many requests does the browser window store
in its temporary cache.
=====
" DON'T WORRY BE HAPPY,
EVERY NIGHT YOU HAVE SOME TROUBLE,
IF YOU WORRY YOU MAKE IT DOUBLE,
SO DON'T WORRY BE HAPPY NOW...."
-- -· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --· "If you sit quietly at the edge of a river, eventually you will see the bodies of your enemies float by" -A maxim of patience, author unknown Imre Kertesz 480.363.1492 PGP ID: 0x1C1E5054
Current thread:
- Browser refresh sends username/password after log out -- URGENT K Kohli (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Alex 'CAVE' Cernat (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Tiago Halm (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Imre Kertesz (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Spicciati Jaime (Aug 05)
- Re: Browser refresh sends username/password after log out -- URGENT Phillip Schroeder (Aug 05)
- <Possible follow-ups>
- Re: Browser refresh sends username/password after log out -- URGENT najeeb . hatami (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 05)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Ingo Struck (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT Tim Aranki (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Chris Scott (Aug 06)
- RE: Browser refresh sends username/password after log out -- URGENT roshen.chandran (Aug 07)
- RE: Browser refresh sends username/password after log out -- URGENT Krk (Aug 06)
- Re: Browser refresh sends username/password after log out -- URGENT Jim McGarvey (Aug 06)