WebApp Sec mailing list archives
Re: HTTP sniffer for Digest Authentication?
From: Saqib.N.Ali () seagate com
Date: Wed, 22 Sep 2004 09:51:29 -0700
That is correct, but there is still a window of opportunity while a server-generated nonce remains valid. Nonce lifetime is implementation and configuration specific. For example, on Apache it defaults to 300 seconds. If I am in position to discover Digest hashes as they travel over the wire, each hash would give me
As I understand, even though a nonce generated digest can be valid for a certain amount of time, it one-use only. In other words once a valid user authenticates, the nonce generated digest is useless to the attacker. This is how I wrote my application, but I m not sure if webservers work the same way. Thanks. Saqib Ali http://validate.sf.net
Current thread:
- HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 20)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 26)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)