[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Form-based HTTP Authentication Proof of Concept
From: "Timothy D\. Morgan" <tmorgan () vsecurity ! com>
Date: 2010-02-25 16:40:29
Message-ID: 20100225164029.GE2153 () sentinelchicken ! org
[Download RAW message or body]
Hello,
As a follow up to my paper advocating HTTP authentication in place of
cookies [1], I've built a simple sample application which demonstrates
how a combination of XMLHttpRequest and response code tricks can be
used to achieve form-based login, logout, and authenticated password
changes in the four most popular browsers:
http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
Note that this is achieved without using any checks to determine what
browser is being used.
While this is promising, I still think we should have an HTTP-based
log out mechanism. In addition, the proposed W3C change to
XMLHttpRequest authentication behavior will make this code much
simpler.
cheers,
tim
1. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic