|
Authored by: PriceChilde on Saturday, May 04 2013 @ 03:58 PM EDT |
First off, the difference between username/password in a url and providing it
via basic auth is just a small difference about its position in the http
request. For example:
GET /index.html?username=foo&password=bar HTTP/1.1
Host: www.example.com
GET /index.html HTTP/1.1
Host: www.example.com
Authorization: Basic Zm9vOmJhcg==
("Zm9vOmJhcg==" is just "foo:bar" base64 encoded... same
data, different represenation)
Imagine I'm making requests without a browser. Do you still suggest that the
first example should be 'ok' if I guess at parameters but the second should be
'bad'?
Secondly, I'm not sure what "real world" you're living in because of
course people put passwords into urls! Sure its not a great idea but it does
happen. Search Google for "password in url"
More importantly... sessionid's are also often put into urls. They're done for a
variety of reasons, for example to get around cookies. However they can also be
hijacked... So is it ok to 'guess' at sessionids as long as they are part of the
url and not another header (e.g. cookies, like the authorization header)[ Reply to This | Parent | # ]
|
|
|
|
|