Skip to main content

Overview of HTTP Authentication


The HTTP 1.x protocol has a built in mechanism for requiring a valid
username/ password to gain access to web resources. This mechanism is
known as HTTP Authentication and can be initiated by either a CGI
script or by the web server itself.

The overall purpose of this document is to provide the new user with
a common sense definition and understanding of HTTP authentication at
the HTTP Header Level.

There are currently 2 modes of authentication built into HTTP 1.1
protocol,
termed 'Basic' and 'Digest' Access Authentication.

Basic Authentication transmits the username:password pair in an
unencrypted
form from browser to server and in such should not be used for
sensitive
logins unless operating over an encrypted medium such as SSL [1].

Digest Authentication sends the server a one way hash of the
username:password
pair calculated with a time sensitive, server supplied salt value.

Here a couple definitions are in order:

One way hash:? A mathematical calculation of a string so that no two
strings
????????????????????????
can have the same hashed value. The term one way in conjunction
????????????????????????
with this signifies that the original string cannot be recovered
????????????????????????
from the hashed value by calculation and could only be determined
????????????????????????
by brute force comparisons with the hashed values of known strings.

?????? Salt value: The salt value is an arbitrary string of
data generated by the
????????????????????????server
for the client to included in the hash calculation.

The use of a salt value means that every authentication attempt with
the same username:password pair will result in a unique
hash and is not vulnerable to replay attacks.

The Digest Authentication Mechanism was developed to provide a general
use,
simple implementation, access control that could be used over
unencrypted
channels. Users should note that it is not as secure as Kerberos or
client-side
private-key authentication mechanisms. It is also important to note
that only the
username:pasword is protect by the hashing mechanism and that without
the use of
an encrypting medium such as SSL all retrieved documents will still be
visible
to all parties with access to network traffic.

With the terminology and background in place we will now move on to
stepping through an
actual Basic Authentication exchange between Client (Web browser) and
Server.

1. Client sends standard HTTP request for resource

GET /download/report.doc HTTP/1.1
Accept: application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 10.0.0.5:81
Connection: Keep-Alive

2. Server reads configuration files and determines that resource
falls?within a protected directory.

Server can only allow access to known users.

3.?Server Sends HTTP 401 Authorization Required Response

HTTP/1.1 401 Authorization Required
Date: Sat, 20 Oct 2001 19:28:06 GMT
Server: Apache/1.3.19 (Unix)
WWW-Authenticate: Basic realm="File Download Authorization"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

[ html error page for browser to show if user hits cancel ]

3.?Browser displays Username/ Password prompt displaying host name
and authentication realm.
??? [image auth.jpg]

5.?Client Resubmits Request with Username/ Password

GET /download/report.doc HTTP/1.1
Accept: application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 10.0.0.5:81
Connection: Keep-Alive
Authorization: Basic ZnJlZDp0aGF0cyBtZQ==

6.?Server compares client information to its user/password list.

a. username : password is valid:? server sends requested content.
b. authorization fails:? server resends 401 Authorization Required
header
c. Client hits cancel:? browser shows error message sent along with
401 message.

>From the above dialogue you will notice several special fields have
been added to the
various Http headers. In step 3 when the server sends the the 401
response it includes
a special field:

WWW-Authenticate: Basic realm="File Download Authorization"

The value "Basic" denotes that we are requesting the browser to use
Basic Authentication.
The Realm information is an arbitrary string sent to be displayed to
the user commonly
containing a sight message, or feedback. The image in Step 4 shows
Internet Explorer's
HTTP Authorization Dialogue and how it displays the sight and realm
data received. [2]

The user fills in the form and clicks ok. The browser automatically
resends the request
as seen in step 5. Here you will notice a new field has been added to
the standard
http request:

Authorization: Basic ZnJlZDp0aGF0cyBtZQ==

This is where the web browser sends the actual authorization
information to the server.
The Authorization field shown is composed of two values. The word Basic
denotes that
the login is being send in accordance with the Basic Authentication
method. The block
of data that follows that is the actual login as supplied by the
browser. Dont let the
logins appearance fool you. This is not an encryption routine, but a
base 64 transfer
encoding.

The plain-text Login can be trivially decoded to its underlying
username:password format

ZnJlZDp0aGF0cyBtZQ==?? -> base64Decode() -> "fred:thats me"

The Implementation of the Digest Authentication is exactly the same as
that of the Basic
Authentication process outlined above, the only difference being the
number of arguments
supplied to the Browser and the format of the login returned.

Both Basic and Digest do have respected places in the web developers
toolbox, however
they should not be considered high grade protection for sensitive
information
or access as they do not address network level attacks. Nevertheless
many functions
remain for which Basic and Digest authentication is both useful and
appropriate.

Comments

  1. Anonymous6:32 AM

    www.darkorbit.com/abmin

    can this be hacked

    plz mail to shamv17@gamil.com

    ReplyDelete
    Replies
    1. You can follow the blog posts here to learn more on hacking and web site security. But refrain from posting request like this to hack a particular website.

      Delete
  2. a person7:27 AM

    i am also trying to hack the above site

    i am not requesting that someone hacks it for me i am just wanting to know what kind of auth that is i have tried brute forcing it but no luck

    ReplyDelete

Post a Comment

Popular posts from this blog

How to Hack a Website in Four Easy Steps

Every wondered how Anonymous and other hacktivists manage to steal the data or crash the servers of websites belonging to some of the world biggest organisations? Thanks to freely available online tools, hacking is no long the  preserve of geeks , so we've decided to show you how easy it is to do, in just four easy steps. Step 1: Identify your target While  Anonymous  and other online hacktivists may choose their targets in order to protest against perceived wrong-doing, for a beginner wanting to get the taste of success with their first hack, the best thing to do is to identify a any website which has a vulnerability. Recently a hacker posted a list of 5,000 websites online which were vulnerable to attack. How did he/she identify these websites? Well, the key to creating a list of websites which are likely to be more open to attack, is to carry out a search for what is called a Google Dork. Google Dorking , also known as Google Hacking, enables yo...

How to Hack Facebook Password in 5 Ways

Check out the following post from  fonelovetz blog  on facebook account hacking. This is one of the most popular questions which I'm asked via my email.And today I'm going to solve this problem one it for all.Even though i have already written a few ways of hacking a facebook password.Looks like i got to tidy up the the stuff here.The first thing i want to tell is.You can not hack or crack a facebook password by a click of a button.That's totally impossible and if you find such tools on the internet then please don't waste your time by looking at them! They are all fake.Ok now let me tell you how to hack a facebook account. I'll be telling you 5 of the basic ways in which a beginner hacker would hack.They are: 1.Social Engineering 2.Keylogging 3.Reverting Password / Password Recovery Through Primary Email 4.Facebook Phishing Page/ Softwares 5.Stealers/RATS/Trojans I'll explain each of these one by one in brief.If you want to know more about them just ...

How to Hack Someone's Cell Phone to Steal Their Pictures

Do you ever wonder how all these celebrities continue to have their private photos spread all over the internet? While celebrities' phones and computers are forever vulnerable to attacks, the common folk must also be wary. No matter how careful you think you were went you sent those "candid" photos to your ex, with a little effort and access to public information, your pictures can be snagged, too. Here's how. Cloud Storage Apple's iCloud service provides a hassle free way to store and transfer photos and other media across multiple devices. While the commercial exemplifies the G-rated community of iPhone users, there are a bunch of non-soccer moms that use their iPhones in a more..."free spirited" mindset. With Photo Stream enabled (requires OS X Lion or later, iOS 5 or later), pictures taken on your iPhone go to directly to your computer and/or tablet, all while being stored in the cloud. If you think the cloud is safe, just ask Gizmodo ...

How to Hack Samsung Phone Screen Lock

I have discovered  another  security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video . Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to  dial any phone number and run any app ! HOWTO From the lock screen, hit the emergency call button. Dial a non-existent emergency services number - e.g. 0. Press the green dial icon. Dismiss the error message. Press the phone's back button. The app's screen will be briefly displayed. This is just about long enough to interact with the app. Using this, you can run and interact with any app / widget / settings menu. You can also use this to launch the dialler. From there, you can dial any phone...