Copy link to clipboard
Copied
We are thinking about using Windows Integrated Authentication on our IIS website for determining the user's Windows login when visiting our intranet website.
Our concern is whether its possible to spoof the CGI.AUTH_USER or CGI.REMOTE_USER variables? Ive read Jason Dean's article on spoofing CGI variables (here: http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11) and a few other articles on the subject, but haven't found anything concrete. I have tried Jason's cfhttp call to our site but am unable to set any variables - which I think is a good thing. Here is the code that I have tried so far for both REMOTE_USER and AUTH_USER.
<cfhttp method="post" url="index.cfm" result="myVar">
<cfhttpparam type="url" name="method" value="test">
<!--- the 3 lines below did not work --->
<cfhttpparam type="header" name="REFERER" value="anotherpage.cfm">
<cfhttpparam type="header" name="REMOTE_HOST" value="123.45.67.8">
<cfhttpparam type="header" name="AUTH_USER" value="domain/spoofuser">
<!--- the line below did not work --->
<cfhttpparam type="cgi" name="AUTH_USER" value="domain/spoofuser">
<!--- the line below did not work --->
<cfhttpparam type="cgi" name="HTTP_AUTH_USER" value="domain/spoofuser">
<cfhttpparam type="formfield" name="entryid" value="blah">
</cfhttp>
Is there anything, such as variables names or method of attack, that I should be doing differently?
Copy link to clipboard
Copied
The first thing to note is that the AUTH_USER and REMOTE_USER have nothing to do with the Windows Integrated Authentication AKA NTLM authentication process. They are provided by the web server AFTER the NTML authentication process has been completed.
The actual NTLM authentication process goes something like this.
Client requests resource protected by NTLM on the web server.
The web server responds to the client with a 401.1 HTTP response asking for the user.
If the client understands this, it responds with the user.
The web server responds to the client with a 401.2 HTTP response asking for the password.
The client responds with the password (or something the represents it).
If the web server can validate these creditionals, it responds with an 200 HTTP response with the requested resource. At this point it will populate the CGI variables with values such as AUTH_USER and REMOTE_USER.
I am sure there are possible attack vectors that can allow unintended access through the NTLM protection. There is no such thing as 100% guaranteed security. But spoofing the AUTH_USER shouldn't matter.
Copy link to clipboard
Copied
The only CGI variables that can be "spoofed" by the browser are those that (a) come directly from the browser, like HTTP_USER_AGENT, and (b) won't prevent the browser from receiving a response. Most of these begin with "HTTP_". Other CGI variables, like AUTH_USER, don't come from the browser, but instead come from the web server and/or CF itself.
Dave Watts, CTO, Fig Leaf Software
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.
Read this before you post:
Copy link to clipboard
Copied
Thank you for the responses, this is really good information. Much appreciated!