WebApp Sec mailing list archives
Re: HTTP sniffer for Digest Authentication?
From: Ivan Ristic <ivanr () webkreator com>
Date: Wed, 22 Sep 2004 10:25:31 +0100
However I am not sure how you plan to use this Digest to replay an attack.
At this time I am only evaluating advantages of Digest over Basic authentication, so I won't be trying any of this in practice.
Usually the webservers use "nonce" to calculate the MD5 digest for digest authentication, which makes replaying an attack, using a sniffed digest, virtually impossible. Nonce is different each time 401 challenge is issued, thus making the digest different each time.
That is correct, but there is still a window of opportunity while a server-generated nonce remains valid. Nonce lifetime is implementation and configuration specific. For example, on Apache it defaults to 300 seconds. If I am in position to discover Digest hashes as they travel over the wire, each hash would give me five minutes authenticated time with the server. Provided there are other active users on the server, I can repeat the process for as long as I want. The point is that if I know what I am doing, Digest authentication has few advantages over Basic. But, while Digest won't deter attackers who understand HTTP well, it will still serve as a barrier to those who have no or little technical skills, but would happily use a password sniffer to discover base-64 encoded passwords. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
Current thread:
- HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 20)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 26)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 24)
- Re: HTTP sniffer for Digest Authentication? Ivan Ristic (Sep 25)
- Re: HTTP sniffer for Digest Authentication? Saqib . N . Ali (Sep 21)