Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Browser refresh sends username/password after log out -- URGENT
From: Imre Kertesz (ikerteszfastq.com)
Date: Tue Aug 05 2003 - 10:25:02 CDT
If I understand this correctly, the application is allowing cacheing of
the credentials. One way to discourage this, from the application's
perspective, is to include a script function such as <FORM
AUTOCOMPLETE="off"> within the splash page script, as well as the
appropriate Cache-Control directive (e.g. "Cache-Control: no-cache").
Just the fact that this cacheing of credentials is possible within a
banking application makes the app a potential target for attackers who
may see it as a treasure trove of vulnerabilities.
K Kohli wrote:
> I am into remote application testing for a critical
> banking application. The following points will make
> the question clear
> 1)We login and browse the banking site, do
> transactions etc and then logout from there.
> 2)We get a page saying you have been successfully
> logged out
> 3) Now we do a Back and refresh on the browser
> window and we get a pop up "The page cannot be
> refreshed without resending the information. Press
> retry to sending it again ...." .
> 4) From here we say "Retry" and watch the data
> going in a Web Proxy.
> 5) We are able to see the Username and password
> again being sent to the server. When we compare
> this request with the one sent from the first login
> page( Where we give the username/password), both
> are exactly the same. I feel thaat the same request
> is being resend. This is a great security risk as
> the credentials are being passed again.
> 6) Can anyone explain this behaviour and how to
> avoid the resubmission of the credentials.
> 7) How many requests does the browser window store
> in its temporary cache.
> " DON'T WORRY BE HAPPY,
> EVERY NIGHT YOU HAVE SOME TROUBLE,
> IF YOU WORRY YOU MAKE IT DOUBLE,
> SO DON'T WORRY BE HAPPY NOW...."
-· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by"
-A maxim of patience, author unknown
PGP ID: 0x1C1E5054