tag:blogger.com,1999:blog-13756280.post1623247128956724003..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Tracking users with Basic AuthJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-13756280.post-71914265055550785452010-04-22T20:38:39.883-07:002010-04-22T20:38:39.883-07:00Thanks for the tip i will look at blocking auth re...Thanks for the tip i will look at blocking auth requests and i already block etags via a proxy server i am working on but for love nor money can if find where FF or IE stores the etags on the client.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40215616853240655032007-05-01T13:57:00.000-07:002007-05-01T13:57:00.000-07:00That Session ID is stored in the Authorization hea...That Session ID is stored in the Authorization header the web browser sends. Depending on your environment, there are a number of ways to get access to that information.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-66194223295783406502007-05-01T09:22:00.000-07:002007-05-01T09:22:00.000-07:00How do i retrieve the Session ID values on subsequ...How do i retrieve the Session ID values on subsequent page loads? For example, if I force basic authentication at my home page, and later want to retrieve the Session ID on a checkout page. How do i do that?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-4181402237238877462007-04-23T01:57:00.000-07:002007-04-23T01:57:00.000-07:00Hey Jeremiah, nice post.I think you can also make ...Hey Jeremiah, nice post.<BR/><BR/>I think you can also make the point that using HTTP auth for user tracking is a little more reliable than the other methods mentioned.<BR/><BR/>If an application places a token within the URL or a form field, then it will be resubmitted as the user clicks through the app. However, if they make requests outside of the app's own navigation (for example, by typing in different URL, or following a link on a third-party site) then the token will be lost.<BR/><BR/>In this situation, using HTTP auth will still work because once credentials are set the browser resubmits them in each subsequent request, regardless of its origin (as with cookies).PortSwiggerhttps://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2871838967807719562007-04-22T21:10:00.000-07:002007-04-22T21:10:00.000-07:00Kisho and Ory:1) No, creds are lost upon browser c...Kisho and Ory:<BR/><BR/>1) No, creds are lost upon browser close.<BR/><BR/>2) This wasn't so much about that you couldn't track a user another way (URL Sessions), but that you technically could using Basic Auth. This is something we can add to the browser hacking arsenal that we might able to use in a combo attack later.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-68541529397459163122007-04-22T02:39:00.000-07:002007-04-22T02:39:00.000-07:00Hey,I think kishor has a point - why not just use ...Hey,<BR/><BR/>I think kishor has a point - why not just use session IDs in the URL?<BR/><BR/>Sure, it might require some URL rewriting, but most webapp frameworks support it anyway (e.g. ASP.NET cookieless mode).<BR/><BR/>Regardless, this is really cool...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51887374659079306932007-04-20T21:19:00.000-07:002007-04-20T21:19:00.000-07:00I have a few questions1. Will this last after brow...I have a few questions<BR/>1. Will this last after browser is closed?<BR/>2. If no, how is it different than having session ids in url etc? (One advantage would be that you dont have to take care of adding session id to every url, but is there any other reason?)<BR/><BR/><A HREF="http://wasjournal.blogspot.com/" REL="nofollow">WebAppSecJournal</A>Kishorhttps://www.blogger.com/profile/03413161469042432636noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16313658577827370772007-04-20T14:32:00.000-07:002007-04-20T14:32:00.000-07:00Using cache for tracking is better and even works ...Using cache for tracking is better and even works cross-domain (unless user has Firefox extension that limits it to single domain).<BR/><BR/>Create cachable javascript file that contains predefined unique number and sends it home whenever it's executed.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52079118858137297012007-04-20T13:37:00.000-07:002007-04-20T13:37:00.000-07:00I've actually seen this behavior before (having au...I've actually seen this behavior before (having authenticated elsewhere on the website, when accessing a Subversion repository you'll be prompted because the credentials that were automatically sent were invalid), although I never thought it could be adapted to track users. Great stuff.Ambush Commanderhttps://www.blogger.com/profile/08963503454239819127noreply@blogger.com