Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weak auth page doesn't use weak auth #6

Open
kingthorin opened this issue Dec 30, 2015 · 4 comments
Open

Weak auth page doesn't use weak auth #6

kingthorin opened this issue Dec 30, 2015 · 4 comments

Comments

@kingthorin
Copy link

https://github.com/sectooladdict/wavsep/blob/master/WebContent/passive/session/weak-authentication-basic.jsp
Doesn't use basic auth.

If server configuration is app server dependant then the necessary headers could be "faked" through use of response.setHeader(headerName, headerValue)

https://en.m.wikipedia.org/wiki/Basic_access_authentication#Server_side
@kingthorin kingthorin mentioned this issue Dec 30, 2015
Closed
@sectooladdict
Copy link
Owner

Its actually a ZAP-WAVE test case.
Note taken, will fix or remove in future versions.
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
This
email has been sent from a virus-free computer protected by Avast.
www.avast.com
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Dec 30, 2015 at 2:39 PM, kingthorin [email protected]
wrote:

https://githubcom/sectooladdict/wavsep/blob/master/WebContent/passive/session/weak-authentication-basicjsp
Doesn't use basic auth

If server configuration is app server dependant then the necessary headers
could be "faked" through use of responsesetHeader(headerName, headerValue)

https://enmwikipediaorg/wiki/Basic_access_authentication#Server_side


Reply to this email directly or view it on GitHub
#6.

@kingthorin
Copy link
Author

I'll look into putting something together.

@kingthorin
Copy link
Author

kingthorin commented Feb 9, 2016
edited
Loading

Hi @sectooladdict the following should be sufficient to "fake" the issue:

    <% response.setStatus(401); %>
    <% response.setHeader("WWW-Authenticate", "Basic realm=\"test realm:\""); %>

If you want an actual contribution via Pull Request let me know.

@sectooladdict
Copy link
Owner

Got it, 10x
On Feb 9, 2016 4:01 AM, "kingthorin" [email protected] wrote:

Hi @sectooladdict https://github.com/sectooladdict the following should
be sufficient to "fake" the issue:

<% response.setStatus(401); %>
<% response.setHeader("WWW-Authenticate", "Basic realm=\"test tealm:\""); %>

If you want an actual contribution via Pull Request let me know.


Reply to this email directly or view it on GitHub
#6 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sectooladdict @kingthorin