Basic authentication against automated attacks

Basic authentication against automated attacks

am 28.02.2006 01:16:05 von Bulent

Is basic authentication useful against automated attacks (e.g. those
attacks using buffer overflows).

Regards,
Bulent

Re: Basic authentication against automated attacks

am 28.02.2006 04:19:54 von Ken Schaefer

It depends if the buffer overflow occurs in a component that's invoked
before/after the Authentication process is invoked.

If there's a buffer overflow in the TCP/IP stack, then that can be exploited
before IIS even sees the request.

Cheers
Ken


"Bulent" wrote in message
news:1141085765.104878.299500@e56g2000cwe.googlegroups.com.. .
: Is basic authentication useful against automated attacks (e.g. those
: attacks using buffer overflows).
:
: Regards,
: Bulent
:

Re: Basic authentication against automated attacks

am 28.02.2006 05:10:31 von Bulent

Ken,

Thank you for your quick response.

I assume that a much greater number of components would be involved
"after" the authentication process. If this assumption is correct, is
it fair to say that basic authentication (with SSL) would minimise the
risk of such attacks (buffer overflow) being successful.

Thanks again,
Bulent

Re: Basic authentication against automated attacks

am 28.02.2006 05:18:30 von Ken Schaefer

"Bulent" wrote in message
news:1141099831.090526.260730@i40g2000cwc.googlegroups.com.. .
: Ken,
:
: Thank you for your quick response.
:
: I assume that a much greater number of components would be involved
: "after" the authentication process. If this assumption is correct, is
: it fair to say that basic authentication (with SSL) would minimise the
: risk of such attacks (buffer overflow) being successful.

Yes. Anything that prevents the payload from getting to the vulnerable
component would help.

So, requiring SSL would stop any attack that only operated over HTTP
Using Host-Headers would stop any attack that didn't supply a Host: HTTP
header
Using Basic Auth (or any Auth) would stop attacks that couldn't supply a
username/password

All of this does assume that the affected component is after the barrier.

Mostly this will stop automated attacks - manual attacks are a different
matter (but generally manual attacks would be directed against valuable
servers, not a server you might have sitting at home running your personal
website).

Cheers
Ken

Re: Basic authentication against automated attacks

am 28.02.2006 06:04:30 von Bulent

This is the answer I needed.

Thank you very much.