WebApp Sec mailing list archives
Re: HTTP sniffer for Digest Authentication?
From: Saqib.N.Ali () seagate com
Date: Thu, 23 Sep 2004 13:21:04 -0700
Hello
Below is a fragment from my access log with a 10-second nonce. Apache asks the client to reauthenticate (with a 401 response and a new nonce) every 10 seconds.
Yup you correct. I read up on how webserver implement nonce generated digests, and this seems correct. I guess the nonce has to have a min lifetime of 10 or more because of the stateless nature of HTTP ??? Maybe someone can enlighten me on this.
After extending nonce lifetime, I took a set of request headers from the audit log and used them in a new request, and was successfully authenticated. I could repeat the process as many times as I wanted. That is, until the original nonce expired.
This seems doable, and should be easier, if nonce is set to expire @ 300 sec intervals. Thanks. Saqib Ali http://validate.sf.net
Current thread:
- HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 20)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 26)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)