Example Problems - authentication url

http://www.mysite.com/cgi-bin/myapplication.pl?value1=123&value2=812&format=fmt1&bleh=blehbleh&stuff=morestuff&username=myuser&other=info&etc=etc

This is an example of two problems. The first is passing authentication information in plaintext within the URL. The second problem is that the username alone is passed, leaving intruders free to simply replace the username with one of their choosing. (Ie: username & password check is performed at one location only.)

Previous slide

Next slide

Back to first slide

View graphic version