Currently, Nessus supports two authentication methods:
- "Basic", which sends "login:pass" encoded in Base64
Note that we do not support multiple "realms".
- SSLv3 client certificates
RFC2617 also defines the "Digest" authentication.
Supporting this would be much harder than the two previous one: as we
have to reply to a challenge, we should change the structure of all
the CGI plugins. I though of something like a http_send() function
which sends the request, handle the authentication challenge if
necessary, and returns the HTTP code.
It is possible to handle all this with a very dirty hack in the
send() and recv() functions, but I really do not like this.
However, AFAIK, Digest authentication is not (widely?) used. It
protects against password sniffing, but Basic authentication in a SSL
pipe is safer.
Do we need Digest? Is it worth the development cost?
Much more common is a classic login form. Once the username & password
have been posted, the server sets a cookie or adds a session ID in the
URL. The URL way is probably a bad idea and it seems that everybody
dropped it now.
The login form & session cookie could be implemented very easily.
We would just have to set:
- the form URL, method (probably POST) fields and values
- the cookie name, if necessary
Something like:
POST, /login.cgi, username=nessus&password=test&rememberme=1
(BTW, would a "cookie jar" be useful for any other purpose?)
Is there any other common web authentication method?
--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/
- "Basic", which sends "login:pass" encoded in Base64
Note that we do not support multiple "realms".
- SSLv3 client certificates
RFC2617 also defines the "Digest" authentication.
Supporting this would be much harder than the two previous one: as we
have to reply to a challenge, we should change the structure of all
the CGI plugins. I though of something like a http_send() function
which sends the request, handle the authentication challenge if
necessary, and returns the HTTP code.
It is possible to handle all this with a very dirty hack in the
send() and recv() functions, but I really do not like this.
However, AFAIK, Digest authentication is not (widely?) used. It
protects against password sniffing, but Basic authentication in a SSL
pipe is safer.
Do we need Digest? Is it worth the development cost?
Much more common is a classic login form. Once the username & password
have been posted, the server sets a cookie or adds a session ID in the
URL. The URL way is probably a bad idea and it seems that everybody
dropped it now.
The login form & session cookie could be implemented very easily.
We would just have to set:
- the form URL, method (probably POST) fields and values
- the cookie name, if necessary
Something like:
POST, /login.cgi, username=nessus&password=test&rememberme=1
(BTW, would a "cookie jar" be useful for any other purpose?)
Is there any other common web authentication method?
--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/