WebApp Sec mailing list archives
NTLM Authenthication,
From: "IRM" <irm () iinet net au>
Date: Wed, 28 Feb 2007 23:57:51 +1100
Dear all, On my Web Pen test, I have seen one application that relies on the NTLM Auth for the authorization. The thing is I have seen many people rely on the NTLM Authentication to segregate access at the file level but not at the business logic level. So yesterday, I have seen one application that uses NTLM authorization to segregate user access at the business logic layer. What I mean by that is that instead of using cookies and session ID, Say that test.ASP has menu A, B and C. User X can access Menu A, B and C on and the test.ASP And User Y can access Menu A, B on the test.ASP by using NTLM Authentication for the authorization. I would have thought that this provides more secure environment compared to the form authentication by cookies, etc. As for accessing the pages it will do challenge response thingy... However, I think the down side for this app is that it will be traffic intensive and it is not good design for traffic intensive application especially when the bandwidth is an issue. Any Thought About this particular design? ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHe --------------------------------------------------------------------------
Current thread:
- NTLM Authenthication, IRM (Feb 28)
- RE: NTLM Authenthication, McCarty, Eric C. (Mar 01)
- Re: NTLM Authenthication, Amit Klein (Mar 01)