Re: Web Brute
Posted by rawlogic on 12/10/2001 @ 11:43:07 PST
In Reply to: Re: Web Brute posted by Sedulous on 12/09/2001 @ 19:25:47 PST
[Follow Ups] [Post Followup] [Message Index]
Regarding HTTP Authentication: Many web developers carelessly
configure their .htaccess files so that everybody can
download and view them, which reveals the location of
the .htpasswd file, which, of course, contains the DES or MD5
hashes for the users' passwords. In an effort to be more
secure, most current versions of web servers no longer serve
these files to clients.
Regarding CGI/Form Authentication: The current version of Web
Brute cannot perfom a brute force username/password attack on
forms/cgi scripts. It is undecided whether this will be
included in a future release. There are programs out there
that will attempt to crack this type of authentication,
however these tools should only be used to test the security
of your own servers.
Post a Followup
Don't have an account yet? Click here.
If you have forgotten your password, click here.