[Owasp-ottawa] Is it common to actively reject a web login over HTTP?

Henry Troup Henry.Troup at j2.com
Tue May 7 18:06:21 UTC 2013

Hi all,

My corporate security guy is telling me I have a vulnerability. When a browser visits our login URL in a non-HTTPS session, we redirect to an HTTPS page. However, it seems quite likely that if there’s a POST to the http (port 80) form with credentials, they’d be accepted (and the rest of the session would redirect to HTTPS.)

The more I write about this, the more obvious it seems that we really shouldn’t accept that POST.  HTTP Response 400 “Bad Request” seems most appropriate, although the text of the 401 description at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html could also apply.

Henry Troup | Manager, Campaigner® UI | j2 Global™
henry.troup at j2.com<mailto:henry.troup at j2.com> | www.j2.com<http://www.j2.com/>
phone: 613-733-0000 ext. 7702 | myFax®: 613-249-7421

Cloud Services for Business www.j2.com
j2 | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | Onebox

This email, its contents and attachments contain information from j2 Global, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies. (c) 2013 j2 Global, Inc. All rights reserved. eFax, eVoice, Campaigner, FuseMail, KeepItSafe, and Onebox are registered trademarks of j2 Global, Inc. and its affiliates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ottawa/attachments/20130507/91b26407/attachment.html>

More information about the Owasp-ottawa mailing list