Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP digest access authentication support #847

Closed
toufik-airane opened this issue Jul 19, 2021 · 1 comment · Fixed by #1811 or #1854
Closed

HTTP digest access authentication support #847

toufik-airane opened this issue Jul 19, 2021 · 1 comment · Fixed by #1811 or #1854
Assignees
@Mzack9999
Labels
Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Enhancement Most issues will probably ask for additions or changes.

Comments

@toufik-airane
Copy link
Contributor

Problem

Working on the Tieline Default Credentials - Create CVE-2021-35336 contribution by @pratikkhalane, we've encountered an HTTP digest access authentication mechanism.

Currently, my question is how to deal with the HTTP digest access authentication mechanism with the Nuclei engine?

Context

The HTTP digest access authentication mechanism is one of the methods a web server can use to negotiate credentials.
It requires an authentication workflow that can't be solved in one HTTP request:

  1. The client asks for a page that requires authentication but does not provide a username and password. Typically this is because the user simply entered the address or followed a link to the page.
  2. The server responds with the 401 "Unauthorized" response code, providing the authentication realm and a randomly generated, single-use value called a nonce.
  3. At this point, the browser will present the authentication realm to the user and prompt for a username and password.
  4. Once a username and password have been supplied, the client re-sends the same request but adds an authentication header that includes the response code.

Source: https://en.wikipedia.org/wiki/Digest_access_authentication

Use case study

# 1 Request

GET /assets/base/home.html HTTP/1.1

# 1 Response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Merlin", charset="UTF-8", nonce="60f5d836:98766089f76d486e3ddaf4fea94b915b", qop="auth"

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>401 - Unauthorized</title>
 </head>
 <body>
  <h1>401 - Unauthorized</h1>
 </body>
</html>

Note: the server sends a WWW-Authenticate header.

# 2 Request

GET /assets/base/home.html HTTP/1.1
Authorization: Digest username="admin", realm="Merlin", nonce="60f5db3d:90d0013a760bcad91f9a27b03448f9eb", uri="/assets/base/home.html", response="aa6346c035cb8cf83f429eb16e6eef20", qop=auth, nc=00000001, cnonce="838e6c899ad8ec33"

# 2 Response

HTTP/1.1 200 OK

<!DOCTYPE html><html>

Note: the client sends an Authorization with Digest type.

Solution

I would like to open a discussion regarding potential capabilities to deal with the HTTP digest access authentication mechanism.

Thank you for your attention.
@toufik-airane toufik-airane mentioned this issue Jul 19, 2021
Merged
1 task
@ehsandeep ehsandeep added the Type: Enhancement Most issues will probably ask for additions or changes. label Jul 29, 2021
@forgedhallpass forgedhallpass changed the title [feature] Dealing with HTTP digest access authentication Dealing with HTTP digest access authentication Nov 22, 2021
@forgedhallpass forgedhallpass added the Type: Discussion Some ideas need to be planned and disucssed to come to a strategy. label Nov 22, 2021
@ehsandeep ehsandeep changed the title Dealing with HTTP digest access authentication HTTP digest access authentication support Mar 24, 2022
@ehsandeep ehsandeep added Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix and removed Type: Discussion Some ideas need to be planned and disucssed to come to a strategy. labels Mar 24, 2022
@ehsandeep
Copy link
Member

ehsandeep commented Mar 24, 2022
edited by Mzack9999 

curl -v --digest --user admin:secret http://example.com

go refs:

A possible approach could be to implement a new property Digest in https://github.com/projectdiscovery/retryablehttp-go/blob/6b8218ed5709ed176ae42db4754ad1bcfa908ee3/request.go#L23 that handles the digest authentication transparently using the request properties to obtain the URI path

@Mzack9999 Mzack9999 self-assigned this Apr 5, 2022
@Mzack9999 Mzack9999 added the Status: In Progress This issue is being worked on, and has someone assigned. label Apr 5, 2022
@Mzack9999 Mzack9999 linked a pull request Apr 5, 2022 that will close this issue
adding support for digest authentication #1811
Merged
4 tasks
@Mzack9999 Mzack9999 added Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: In Progress This issue is being worked on, and has someone assigned. labels Apr 5, 2022
@ehsandeep ehsandeep added Status: Completed Nothing further to be done with this issue. Awaiting to be closed. and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed labels Apr 15, 2022
@ehsandeep ehsandeep linked a pull request Apr 15, 2022 that will close this issue
Crash bugfix #1854
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mzack9999 Mzack9999

Labels
Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
4 participants
@toufik-airane @ehsandeep @Mzack9999 @forgedhallpass