Jump to content
Matasareanu

Phishy Basic Authentication prompts

By Matasareanu, in Proiecte RST

Recommended Posts

  • Members
Matasareanu Newbie

Matasareanu

Posted
  • Members
Posted

Title:Phishy Basic Authentication prompts

URL: https://securitycafe.ro/2017/09/06/phishy-basic-authentication-prompts/

Author: @TheTime

 

Quote

 

In one of our previous posts, we noted that a popular tool – Responder – uses Basic Authentication prompts to harvest user credentials when they accidentally enter invalid domains in web browsers.
Responder’s approach is pretty good and it does some “magic” to catch and respond to DNS requests for in-existing domais,  however I think that there is way more potential in using Basic Authentication for phishing purposes.
What I like (or dislike) most about basic authentication is that it is NEVER clear who is asking for your credentials and where they will end up. This type of confusion often tricks users into falling for simple phishing tricks, allowing attackers to easily gather user credentials.

Users should be able to determine if a Basic Authentication request is genuine based on 2 security indicators:
the IP address or domain of the entity that requests authentication. This often doesn’t help users since attackers can register domain names that resembles trusted domains. For example, when trying to leak the credentials for targetdomain.com, an attacker can register similar domains:
targetdomain.co / .net
target-domain.com
targetdomain-oauth.com
targetdomain-cdn.com
targetdomain-images.com
login-targetdomain.com
the authetication parameter “Realm”, however this is a string that can be arbitrary provided by the attacker. Depending on the context, simple strings might trick users to consider that the Basic Authentication prompt is genuine:
“Network proxy authentication required”
“You were logged out due to inactivity, please login again.”
Too much theory, let’s see a few examples where basic authentication prompts can be really confusing for the users. Presuming that targetdomain.com is a genuine website, an attacker can simply register (and control) target-domain.com, a website which might be confused with the original by some users.

 

 

  • Like 1
  • Upvote 4

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...