Network Security: Detailed info on Re: Getting round website authentication with Firefox

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

Re: Getting round website authentication with Firefox

from [Christopher Kunz] Network Security

[Permanent Link]

Subject:	Re: Getting round website authentication with Firefox
Date:	Thu, 28 Jul 2005 01:55:10 +0200

account.throw@gmail.com wrote:

Using firefox's "save target as" feature, you can get round web authentication.

Make a password protected directory (with a video file inside) (using .htaccess 
and htpasswd), check that it actully requires a login when you click the link 
to the video normally, then create a hyperlink to the file, right click save as 
- oh snap, it doesn't ask for authentication.

I've only tested it with a video file and Firefox 1.0.6.

Nope. This cannot work, you probably messed up your basic auth settings in Apache. If you perform a HEAD /protected/video.avi, you will already see the 401 header - and there is no way to bypass that with a client.

For the sake of the argument, I actually tried it out - and it doesn't work (of course).

I'd suspect that you a) didn't configure the basic auth properly or b) have run into the infamous basic auth caching issue (a.k.a. "we can't log out users with basic auth").

--ck

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Getting round website authentication with Firefox, Shalom Carmel Getting round website authentication with Firefox, account . throw Re: Getting round website authentication with Firefox, Christopher Kunz <= Re: Getting round website authentication with Firefox, Nate Smith Re: Getting round website authentication with Firefox, James Tait

Previous by Date:	Re: several vulnerabilities present in Belkin wireless routers, E. Kellinis
Next by Date:	Re: RE: Peter Gutmann data deletion theaory?, Simple Nomad
Previous by Thread:	Getting round website authentication with Firefox, account . throw
Next by Thread:	Re: Getting round website authentication with Firefox, Nate Smith
Indexes:	[Date] [Thread] [Top] [All Lists]