Raw Logic Discussion Board


	Re: Web Brute Posted by rawlogic on 12/10/2001 @ 11:43:07 PST In Reply to: Re: Web Brute posted by Sedulous on 12/09/2001 @ 19:25:47 PST [Follow Ups] [Post Followup] [Message Index] Regarding HTTP Authentication: Many web developers carelessly configure their .htaccess files so that everybody can download and view them, which reveals the location of the .htpasswd file, which, of course, contains the DES or MD5 hashes for the users' passwords. In an effort to be more secure, most current versions of web servers no longer serve these files to clients. Regarding CGI/Form Authentication: The current version of Web Brute cannot perfom a brute force username/password attack on forms/cgi scripts. It is undecided whether this will be included in a future release. There are programs out there that will attempt to crack this type of authentication, however these tools should only be used to test the security of your own servers. Follow Ups: Post a Followup Username: Password: Subject: Comments: : Regarding HTTP Authentication: Many web developers carelessly : configure their .htaccess files so that everybody can : download and view them, which reveals the location of : the .htpasswd file, which, of course, contains the DES or MD5 : hashes for the users' passwords. In an effort to be more : secure, most current versions of web servers no longer serve : these files to clients. : Regarding CGI/Form Authentication: The current version of Web : Brute cannot perfom a brute force username/password attack on : forms/cgi scripts. It is undecided whether this will be : included in a future release. There are programs out there : that will attempt to crack this type of authentication, : however these tools should only be used to test the security : of your own servers. Optional Link URL: Link Title: Optional Image URL: Don't have an account yet? Click here. If you have forgotten your password, click here.