HTTP BA from a different Server

Question

There is a weird situation that I am stuck with regarding HTTP Basic Authentication.

Below is a hypothetical situation:

Lets say there is a certain domain, say https://myfacebook.com and there is a certain URL as : https://myfacebook.com/view_my_profile?imgURL=anyImageURL that myfacebook.com has designed so there users can share their profile pictures with each other without even logging into the site.

anyImageURL can be any URL assuming that myfacebook.com wants to give this flexibility to its users to load any image here from any location.

Now also to reiterate, lets assume that the URL can be accessed by anyone publicly without any authentication.

Now lets assume an attack scenario:

An attacker takes the URL https://myfacebook.com/view_my_profile?imgURL=anyImageURL from google cache (that he finds using some Google dorks for example) and replaces the anyImageURL with a server that he has hosted lets say http://attacker.com. And lets say that the attacker had configured http://atacker.com to serve 401 page (HTTP Basic Auth page)

And sends the following URL to the victim to make the victim make a final request as: https://myfacebook.com/view_my_profile?imgURL=http://attacker.com

Now when an UNSUSPECTING victim clicks on the URL https://myfacebook.com/view_my_profile?imgURL=http://attacker.com the victim gets presented with HTTP BA pop up and he may be lured into entering his myfacebook.com credentials.

Now my question is:

If at all the victim enters his credentials and submits them WHERE WILL THESE CREDENTIALS GO ? To myfacebook.com server because the page itself is being hosted on myfacebook.com or to attacker.com because the HTTP BA came from attacker.com ?

Servers don't send requests to clients, so I'm not sure what you mean. — user253751, Jan 23 '15 at 10:33
@geek_ji "Let's say the attacker had configured http://attacker.com to serve 401 page ... and sends this final request to the victim:" — user253751, Jan 23 '15 at 22:24
ok.. i think there was an apparent grammatical error that led to the confusion. Have edited it for clarity. — qre0ct, Jan 28 '15 at 04:25

score 2 · Accepted Answer · answered Jan 23 '15 at 17:31

The credentials go to the server requesting them, in this case, the server serving the image. (attacker.com in your example.)

This is called a 401 phishing attack, and while rare, I have seen it in the wild so it is something that you need to consider if you're going to allow images to be loaded from arbitrary domains.

score 1 · Answer 2 · edited Mar 17 '17 at 10:46

1

I suppose that the server takes the content of the imgURL parameter and use it to construct an tag that will be included in the generated web page.

To answer to you question, in such a scenario the credential will be sent to the server requesting authentication, ie. attacker.com.

Anyway this seems to ma as a duplicate of this thread.

edited Mar 17 '17 at 10:46

Community

1

answered Jan 23 '15 at 17:07

WhiteWinterWolf

19,082
4
58
104

Thanks. I would agree this is a dupe on the thread mentioned above. (Y) – qre0ct Jan 28 '15 at 04:31

HTTP BA from a different Server

2 Answers2