从Basic Authentication认知cookie和session

最新推荐文章于 2022-03-30 22:04:46 发布

fallinsky

最新推荐文章于 2022-03-30 22:04:46 发布

阅读量1.6k

点赞数

分类专栏： WebGoat 文章标签： authentication basic session authorization user string

本文链接：https://blog.csdn.net/fallinsky/article/details/6018794

版权

WebGoat 专栏收录该内容

8 篇文章 0 订阅

订阅专栏

HTTP Basic Authentication

查看wikipedia的解释，http://en.wikipedia.org/wiki/Basic_authentication_scheme

HTTP Basic Authentication即Basic access authentication

概念：In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.

在执行会话之前，用户名和密码username:password对作为一个字符串经过Base64算法加密编码，之后经Base64编码的字符串被发送到接收端，接收端服务器应用解码得到用户名和密码。

Base64加密算法很简单，只能防止直接查看得到用户名和密码，解码是十分容易的。因此，编码的初衷不是出于安全性的考虑，而是为了将用户名和密码中可能存在的一些不被HTTP兼容的字符（non-HTTP-compatible characters）编码为HTTP兼容的字符！

缺点：因为用户名和密码几乎相当于明文传输，所以存在严重的安全性问题。因此Basic Authentication基本用在可信任网络或进行测试时用！

digest access authentication被制定来更加安全的进行认证。

用户名和密码对如guest:guest经Base64编码后得到Z3Vlc3Q6Z3Vlc3Q=，并被放入认证头Authorization中

形如Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=

Example：typical transaction between an HTTP client and an HTTP server running on the local machine (localhost).

The client asks for a page that requires authentication but does not provide a user name and password. Typically this is because the user simply entered the address or followed a link to the page.
The server responds with the 401 response code and provides the authentication realm.
At this point, the client will present the authentication realm (typically a description of the computer or system being accessed) to the user and prompt for a user name and password. The user may decide to cancel at this point.
Once a user name and password have been supplied, the client adds an authentication header (with value base64encode(username+":"+password)) to the original request and re-sends it.
In this example, the server accepts the authentication and the page is returned. If the user name is invalid or the password incorrect, the server might return the 401 response code and the client would prompt the user again.

Note: A client may pre-emptively send the authentication header in its first request, with no user interaction required.

方法：在http://url中间加入用户名和密码对，例如：http://guest:guest@www.baidu.com即可！

PS：要在发送请求的时候添加HTTP Basic Authentication认证信息到请求中，有两种方法：

一是在请求头中添加Authorization：
Authorization: "Basic 用户名和密码的base64加密字符串"
二是在url中添加用户名和密码：
http://userName:password@api.minicloud.com.cn/statuses/friends_timeline.xml

攻击过程：

因为是tomcat服务器，因此cookie中为JSESSIONID，初始截获请求没有发现Authorization头，因此修改JSESSIONID发送给服务器，因为是错误的cookie，服务器返回401响应，并要求输入用户名和密码，再截获会发现Authorization头出现了，但是问题是并没有重新生成新的JSESSIONID！！——因为最开始存在的cookie是存在浏览器内存中和服务器端的，当服务器端接收到错误的JSESSIONID（亦即cookie）时，会返回401要求认证，这时我填入用户名和密码，浏览器自动加入内存已有的cookie（未修改前的）。

这时有了Authorization头，在截获请求时改变JSESSIONID，因为用户名密码是正确的，所以服务端接收后返回的是200 ok响应，但是会重新分配一个新的JSESSIONID给用户，此时JSESSIONID才会改变。

从这个过程不难看出，在已登录并正常通信后，客户端服务端的Authorization头是可有可无的，只要JSESSIONID不变！

认识到这一点，按部就班就可以达成第一步攻击！第二步只需要篡改请求中的JSESSIONID，并将Authorization头中的用户名和密码改变为需要登录的用户名密码对即可。或者清空浏览器中的cookie（JSESSIONID和Authorization头），再用上面所述在url中添加用户名和密码即可！！

以下转自：http://www.cnblogs.com/QLeelulu/archive/2009/11/22/1607898.html

访问需要HTTP Basic Authentication认证的资源的各种语言的实现

下面来看下对于第一种在请求中添加Authorization头部的各种语言的实现代码。

.NET下

string username="username"; string password="password"; //注意这里的格式哦，为 "username:password" string usernamePassword = username + ":" + password; CredentialCache mycache = new CredentialCache(); mycache.Add(new Uri(url), "Basic", new NetworkCredential(username, password)); myReq.Credentials = mycache; myReq.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(new ASCIIEncoding().GetBytes(usernamePassword))); WebResponse wr = myReq.GetResponse(); Stream receiveStream = wr.GetResponseStream(); StreamReader reader = new StreamReader(receiveStream, Encoding.UTF8); string content = reader.ReadToEnd();

你当然也可以使用HttpWebRequest或者其他的类来发送请求。

然后是Python的：

reference：http://en.wikipedia.org/wiki/Basic_authentication_scheme

http://topic.csdn.net/u/20100111/19/3da6591b-5090-4891-af14-c8ad94181767.html

http://www.cnblogs.com/QLeelulu/archive/2009/11/22/1607898.html

http://www.cnblogs.com/cmt/archive/2010/05/13/1733904.html

import urllib2 import sys import re import base64 from urlparse import urlparse theurl = 'http://api.minicloud.com.cn/statuses/friends_timeline.xml' username = 'qleelulu' password = 'XXXXXX' # 你信这是密码吗？ base64string = base64.encodestring( '%s:%s' % (username, password))[:-1] #注意哦，这里最后会自动添加一个/n authheader = "Basic %s" % base64string req.add_header("Authorization", authheader) try: handle = urllib2.urlopen(req) except IOError, e: # here we shouldn't fail if the username/password is right print "It looks like the username or password is wrong." sys.exit(1) thepage = handle.read()

再来是PHP的：

<?php $fp = fsockopen("www.mydomain.com",80); fputs($fp,"GET /downloads HTTP/1.0"); fputs($fp,"Host: www.mydomain.com"); fputs($fp,"Authorization: Basic " . base64_encode("user:pass") . ""); fpassthru($fp); ?>

还有flash的AS3的：

import mx.rpc.events.FaultEvent; import mx.rpc.events.ResultEvent; import mx.utils.Base64Encoder; import mx.rpc.http.HTTPService; URLRequestDefaults.authenticate = false;//设默认为false，否则用户较验错误时会弹出验证框 private var result:XML; private function initApp():void { var base64enc:Base64Encoder = new Base64Encoder; base64enc.encode("user:password"); //用户名和密码需要Base64编码 var user:String = base64enc.toString(); var http:HTTPService = new HTTPService; http.addEventListener(ResultEvent.RESULT,resultHandler);//监听返回事件 http.addEventListener(FaultEvent.FAULT,faultHandler); //监听失败事件 http.resultFormat = "e4x";//返回格式 http.url = "http://api.digu.com/statuses/friends_timeline.xml"; 以嘀咕网的API为列 http.headers = {"Authorization":"Basic " + user}; http.send(); } private function resultHandler(e:ResultEvent):void { result = XML(e.result); test.dataProvider = result.status;//绑定数据 } private function faultHandler(e:ResultEvent):void { //处理失败 }

还有Ruby On Rails的：

class DocumentsController < ActionController before_filter :verify_access def show @document = @user.documents.find(params[:id]) end # Use basic authentication in my realm to get a user object. # Since this is a security filter - return false if the user is not # authenticated. def verify_access authenticate_or_request_with_http_basic("Documents Realm") do |username, password| @user = User.authenticate(username, password) end end end

JavaScript的：

//需要Base64见：http://www.webtoolkit.info/javascript-base64.html function make_base_auth(user, password) { var tok = user + ':' + pass; var hash = Base64.encode(tok); return "Basic " + hash; } var auth = make_basic_auth('QLeelulu','mypassword'); var url = 'http://example.com'; // 原始JavaScript xml = new XMLHttpRequest(); xml.setRequestHeader('Authorization', auth); xml.open('GET',url) // ExtJS Ext.Ajax.request({ url : url, method : 'GET', headers : { Authorization : auth } }); // jQuery $.ajax({ url : url, method : 'GET', beforeSend : function(req) { req.setRequestHeader('Authorization', auth); } });

PS：HTTP Basic Authentication对于跨域又要发送post请求的用JavaScript是实现不了的(注：对于Chrome插件这类允许通过AJAX访问跨域资源的，是可以的)。。