WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Stealing Passwords via browser refresh

From: Karmendra Kohli <karmendra.kohli () paladion net>
Date: Mon, 15 Mar 2004 10:33:39 +0550
Fellow list-members,

A few months ago, I had posted a query on these lists on the browser
resubmitting passwords when specific pages are refreshed. Several
suggestions had come up during that discussion, and since then we have
seen this behaviour in more applications - including critical web applications
used by banks.

Applications that do not use redirection after authentication are
vulnerable to their passwords being revealed if a combination of back
and refresh buttons are pressed on  the browser. This issue has been
mentioned in the AppSec FAQ at OWASP. We have now published a more
detailed description of the problem and the solution at:
http://www.paladion.net/papers/Stealing_passwords_via_browser_refresh.pdf

I'd like your feedback on the paper. To see archives of the discussion, please
refer:
http://www.securityfocus.com/archive/107/331821/2003-08-02/2003-08-08/0

Thanks!
Karmendra

Karmendra Kohli
Paladion Networks
http://www.paladion.net
Previous By Date Next
Previous By Thread Next

Current thread: