I did this
curl -Lv "http://unknown:invalid@httpbin.org/redirect-to?url=http://user:pass@httpbin.org/basic-auth/user/pass"
I expected the following
{
"authenticated": true,
"user": "user"
}
Curl to use the password provided in the Location: header instead of the original value. When opening the URL in Chrome the redirect occurs with the new credentials.
Curl picks up the username and sent that with the redirected request, password was kept with the original value of invalid instead of pass.
I got this
HTTP/1.1 401 UNAUTHORIZED
* Trying 54.210.149.139:80...
* Connected to httpbin.org (54.210.149.139) port 80 (#0)
* Server auth using Basic with user 'unknown'
> GET /redirect-to?url=http://user:pass@httpbin.org/basic-auth/user/pass HTTP/1.1
> Host: httpbin.org
> Authorization: Basic dW5rbm93bjppbnZhbGlk
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 302 FOUND
< Date: Sat, 08 Jul 2023 05:51:30 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Server: gunicorn/19.9.0
< Location: http://user:pass@httpbin.org/basic-auth/user/pass"
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
<
* Connection #0 to host httpbin.org left intact
* Issue another request to this URL: 'http://user:pass@httpbin.org/basic-auth/user/pass"'
* Found bundle for host: 0x6000032ec060 [serially]
* Can not multiplex, even if we wanted to
* Re-using existing connection #0 with host httpbin.org
* Server auth using Basic with user 'user'
> GET /basic-auth/user/pass" HTTP/1.1
> Host: httpbin.org
> Authorization: Basic dXNlcjppbnZhbGlk
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 401 UNAUTHORIZED
< Date: Sat, 08 Jul 2023 05:51:36 GMT
< Content-Length: 0
< Connection: keep-alive
< Server: gunicorn/19.9.0
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Fake Realm"
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
<
* Connection #0 to host httpbin.org left intact
curl/libcurl version
curl 7.88.1 (x86_64-apple-darwin22.0) libcurl/7.88.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.51.0
Release-Date: 2023-02-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets
and
curl 8.1.2 (x86_64-apple-darwin22.4.0) libcurl/8.1.2 (SecureTransport) OpenSSL/1.1.1u zlib/1.2.11 brotli/1.0.9 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.54.0 librtmp/2.3
Release-Date: 2023-05-30
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
operating system
Darwin iMac.local 22.5.0 Darwin Kernel Version 22.5.0: Mon Apr 24 20:51:50 PDT 2023; root:xnu-8796.121.2~5/RELEASE_X86_64 x86_64
I did this
I expected the following
Curl to use the password provided in the Location: header instead of the original value. When opening the URL in Chrome the redirect occurs with the new credentials.
Curl picks up the username and sent that with the redirected request, password was kept with the original value of invalid instead of pass.
I got this
HTTP/1.1 401 UNAUTHORIZED
curl/libcurl version
curl 7.88.1 (x86_64-apple-darwin22.0) libcurl/7.88.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.51.0
Release-Date: 2023-02-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets
and
curl 8.1.2 (x86_64-apple-darwin22.4.0) libcurl/8.1.2 (SecureTransport) OpenSSL/1.1.1u zlib/1.2.11 brotli/1.0.9 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.54.0 librtmp/2.3
Release-Date: 2023-05-30
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
operating system
Darwin iMac.local 22.5.0 Darwin Kernel Version 22.5.0: Mon Apr 24 20:51:50 PDT 2023; root:xnu-8796.121.2~5/RELEASE_X86_64 x86_64