Guest Slavomir Tecl Posted March 14, 2012 Share Posted March 14, 2012 I've got a web application running on Tomcat with Digest authentication, when I first enter the webapp in IE I'm being asked for credentials and it occurs again without a reason but not for every request. By inspecting incoming requests in Fiddler and from the actual Authenticator implementation I can see that cnonce values are reused and nonce-count gets increment correctly but requests were sent in a wrong order. This one having auth header Authorization: Digest username="admin",realm="Realm",nonce="1331743957403:f9045aa37b855fd47a83365d1ca141fe",uri="/webapp/images/admin_header.gif",cnonce="be4f3408326bb74091fa129de6fca8c6",nc=00000011,response="6ea0228612c2840f61f9a28ba06b30ea",qop="auth",opaque="E1BD9E5F91846667D855156D6C7FCDC7" came prior to following one Authorization: Digest username="admin",realm="Realm",nonce="1331743957403:f9045aa37b855fd47a83365d1ca141fe",uri="/webapp/images/section_header.gif",cnonce="be4f3408326bb74091fa129de6fca8c6",nc=00000010,response="560fea74f4019232cfaa357b080f942f",qop="auth",opaque="E1BD9E5F91846667D855156D6C7FCDC7" which is considered to be an HTTP attack as reported in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184 and therefore the server asks for credentials again. Requested resources were referenced from a CSS file, does that matter and is there a way how to solve this? Continue reading... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.