WebApp Sec mailing list archives
Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
From: Andrew van der Stock <vanderaj () greebo net>
Date: Wed, 20 Jul 2005 13:52:38 +1000
With respect,
SSL should always be terminated in front of a Web server is illustrated inour technology whitepaper already mentioned above: (http://www.seclutions.com/en/downloads/AirLock_Whitepaper.pdf).
Terminating SSL sessions before the web server assumes that no client- side certificates are in use. If you use client-side certificates (either soft certs or smart cards), terminating early means that the web app has to trust the front end termination device to provide the authentication details from the client.
Pretty much all solutions to this usually involve setting headers (like REMOTE_USER or iv-cred similar) and passing on the request. If the header or token is not present for unauthenticated requests, an attacker can spoof the (say) REMOTE_USER header successfully.
Andrew
Current thread:
- NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 18)
- <Possible follow-ups>
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 19)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 19)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Andrew van der Stock (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Jul 20)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Jul 21)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Amit Klein (AKsecurity) (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 09)
- RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein Cyrill Osterwalder (Aug 10)