Members Matasareanu Posted September 6, 2017 Members Report Share Posted September 6, 2017 Title:Phishy Basic Authentication prompts URL: https://securitycafe.ro/2017/09/06/phishy-basic-authentication-prompts/ Author: @TheTime Quote In one of our previous posts, we noted that a popular tool – Responder – uses Basic Authentication prompts to harvest user credentials when they accidentally enter invalid domains in web browsers. Responder’s approach is pretty good and it does some “magic” to catch and respond to DNS requests for in-existing domais, however I think that there is way more potential in using Basic Authentication for phishing purposes. What I like (or dislike) most about basic authentication is that it is NEVER clear who is asking for your credentials and where they will end up. This type of confusion often tricks users into falling for simple phishing tricks, allowing attackers to easily gather user credentials. Users should be able to determine if a Basic Authentication request is genuine based on 2 security indicators: the IP address or domain of the entity that requests authentication. This often doesn’t help users since attackers can register domain names that resembles trusted domains. For example, when trying to leak the credentials for targetdomain.com, an attacker can register similar domains: targetdomain.co / .net target-domain.com targetdomain-oauth.com targetdomain-cdn.com targetdomain-images.com login-targetdomain.com the authetication parameter “Realm”, however this is a string that can be arbitrary provided by the attacker. Depending on the context, simple strings might trick users to consider that the Basic Authentication prompt is genuine: “Network proxy authentication required” “You were logged out due to inactivity, please login again.” Too much theory, let’s see a few examples where basic authentication prompts can be really confusing for the users. Presuming that targetdomain.com is a genuine website, an attacker can simply register (and control) target-domain.com, a website which might be confused with the original by some users. 1 4 Quote Link to comment Share on other sites More sharing options...
Nytro Posted September 6, 2017 Report Share Posted September 6, 2017 Super, au trecut doar doua luni si ceva de la ultimul post. Quote Link to comment Share on other sites More sharing options...
TheTime Posted September 6, 2017 Report Share Posted September 6, 2017 Cunosti vreun alumni dornic sa posteze? 1 Quote Link to comment Share on other sites More sharing options...
Nytro Posted September 6, 2017 Report Share Posted September 6, 2017 Eh, sunt multi non-alumni care pot sa scrie. Quote Link to comment Share on other sites More sharing options...
