Saqib.N.Ali@seagate.com wrote:
That is correct, but there is still a window of opportunity while
a server-generated nonce remains valid. Nonce lifetime is
implementation and configuration specific. For example, on Apache
it defaults to 300 seconds. If I am in position to discover Digest
hashes as they travel over the wire, each hash would give me
As I understand, even though a nonce generated digest can be valid for a
certain amount of time, it one-use only. In other words once a valid user
authenticates, the nonce generated digest is useless to the attacker. This
is how I wrote my application, but I m not sure if webservers work the same
way.
Below is a fragment from my access log with a 10-second nonce. Apache
asks the client to reauthenticate (with a 401 response and a new
nonce) every 10 seconds.
After extending nonce lifetime, I took a set of request headers
from the audit log and used them in a new request, and was
successfully authenticated. I could repeat the process as many
times as I wanted. That is, until the original nonce expired.
ivanr [22/Sep/2004:18:59:52 +0100] "GET /review/ HTTP/1.1" 401 499
ivanr [22/Sep/2004:18:59:52 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:18:59:59 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:05 +0100] "GET /review/ HTTP/1.1" 401 499
ivanr [22/Sep/2004:19:00:05 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:07 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:12 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:14 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:14 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:15 +0100] "GET /review/ HTTP/1.1" 200 573
ivanr [22/Sep/2004:19:00:15 +0100] "GET /review/ HTTP/1.1" 401 499
ivanr [22/Sep/2004:19:00:15 +0100] "GET /review/ HTTP/1.1" 200 573
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
