Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Getting round website authentication with Firefox

from [Nate Smith] Network Security [Permanent Link]
Subject: Re: Getting round website authentication with Firefox
Date: Wed, 27 Jul 2005 16:58:49 -0700 
On Sun, Jul 24, 2005 at 11:52:11PM -0000, account.throw@gmail.com wrote:

Using firefox's "save target as" feature, you can get round web 
authentication.

Make a password protected directory (with a video file inside) (using 
.htaccess and htpasswd), check that it actully requires a login when you 
click the link to the video normally, then create a hyperlink to the file, 
right click save as - oh snap, it doesn't ask for authentication.

I've only tested it with a video file and Firefox 1.0.6.


If this got around authenticating, it would be the fault of the server,
not the browser.  The browser is only sending a 'request' for a
document.  If firefox fails to ask for credentials in any authentication
scheme, it is the fault of firefox, and should be reported to their bug
tracking system.  Check their support forums first to see if it's known:

http://forums.mozillazine.org/

I tried it with firefox 1.0.6 and it didn't ask for credentials, but it
didn't give me the FILE, either :)  If it has cached your authentication
response from a previous request, then yes, it will let you have the
file.  But that won't work for someone who genuinely doesn't know the
username/password.

-Nate
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: LSS Security Advisory: Winamp remote buffer overflow vulnerability, b0fnet
Next by Date:  PhpList Sql Injection and Path Disclosure, thegreatone2176
Previous by Thread:  Re: Getting round website authentication with Firefox, Christopher Kunz
Next by Thread:  Re: Getting round website authentication with Firefox, James Tait
Indexes:  [Date] [Thread] [Top] [All Lists]