[Owasp-ottawa] Is it common to actively reject a web login over HTTP?

Sherif Koussa sherif.koussa at owasp.org
Tue May 7 23:08:40 UTC 2013


Hi Henry,

If this is a browser to server scenario, then I am not sure sending back
400 or 401 is the best approach from a usability stand point, since users
could just type youapplication.com/login directly, or they could have
bookmarked that, getting 400 or 401 might be confusing to them.

I think the fact that the application accepts credentials sent to port 80
is a problem obviously even though the rest of the session conducted. But
the other question is the fact that the login page has been served over
HTTPS in the first place (I am assuming credentials have been posted
through a login form or something), hence, having to accept credentials
over non-TLS channels.

If this is a server-to-server scenario then sending back 400 or 401 is not
unheard of in my opinion.

Regards,
Sherif


On Tue, May 7, 2013 at 2:06 PM, Henry Troup <Henry.Troup at j2.com> wrote:

>  Hi all,****
>
> ** **
>
> My corporate security guy is telling me I have a vulnerability. When a
> browser visits our login URL in a non-HTTPS session, we redirect to an
> HTTPS page. However, it seems quite likely that if there’s a POST to the
> http (port 80) form with credentials, they’d be accepted (and the rest of
> the session would redirect to HTTPS.)****
>
> ** **
>
> The more I write about this, the more obvious it seems that we really
> shouldn’t accept that POST.  HTTP Response 400 “Bad Request” seems most
> appropriate, although the text of the 401 description at
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html could also apply.**
> **
>
> ** **
>
> *Henry Troup *| Manager, Campaigner® UI | j2 Global™****
>
> henry.troup at j2.com | www.j2.com****
>
> phone: 613-733-0000 ext. 7702 | myFax®: 613-249-7421****
>
> ** **
>
> [image: www.j2.com]<http://www.j2.com/?utm_source=j2global&utm_medium=xsell-referral&utm_campaign=employeeemail>
>
> This email, its contents and attachments contain information from j2
> Global, Inc<http://www.j2.com/?utm_source=j2global&utm_medium=xsell-referral&utm_campaign=employemail>.
> and/or its affiliates which may be privileged, confidential or otherwise
> protected from disclosure. The information is intended to be for the
> addressee(s) only. If you are not an addressee, any disclosure, copy,
> distribution, or use of the contents of this message is prohibited. If you
> have received this email in error please notify the sender by reply e-mail
> and delete the original message and any copies. © 2013 j2 Global, Inc<http://www.j2.com/>.
> All rights reserved. eFax ® <http://www.efax.com/>, eVoice ®<http://www.evoice.com/>,
> Campaigner ® <http://www.campaigner.com/>, FuseMail ®<http://www.fusemail.com/>,
> KeepItSafe ® <http://www.keepitsafe.com/> and Onebox ®<http://www.onebox.com/>are registered trademarks of j2
> Global, Inc <http://www.j2.com/>. and its affiliates.
>
> _______________________________________________
> Owasp-ottawa mailing list
> Owasp-ottawa at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ottawa
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ottawa/attachments/20130507/29e753c5/attachment.html>


More information about the Owasp-ottawa mailing list