Issue with HTTP Basic Authentication passed to Web Interface from d...

Issue with HTTP Basic Authentication passed to Web Interface from d... SearchSearch
Author Message
Francisco
New member
Username: Pacolive

Post Number: 3
Registered: 11-2011
Posted on Tuesday, November 22, 2011 - 11:43 pm:   

Hi!

I am writing a custom code in C# to perform an Http Basic Authentication Bypass in order to let users login directly from a webpage to the NowSMS Web Interface.

I've tried:

- Old "username:password@host" format (insecure, not allowed on IE anymore).

- On a C# ASP.NET application, I've managed to bypass basic authentication (by sending the username/password through "Authorization" headers on a HTTPWebRequest) and I finally got the unlocked the target page that is protected by htaccess (located on a different server, basic auth) and sent the stream back to the browser (for instance, I requested the TOCFrame.htm page).
The issue appears as soon as I click on one of the links of the menu, the basic auth logon box pops up again. I don't want the user to enter to username/password again.

Any idea on how to achieve this?
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 3613
Registered: 08-2008
Posted on Wednesday, November 23, 2011 - 03:25 pm:   

Hi Francisco,

With HTTP, the login credentials must be sent with each request. Any links in the HTML response generated by NowSMS will not include these credentials in the link. So if you send an HTTP request that includes login credentials, they will not be echoed back in the request.

My suggestion, based upon what you have done so far, would be to manipulate the response before returning it to the client. Change href values in the links to point to include the credentials, or change the links to go through your own server that filters the request before forwarding. If you want to include the credentials, it would be easiest to use URL parameters, &user=username&password=password


--
Des
NowSMS Support
Francisco
New member
Username: Pacolive

Post Number: 4
Registered: 11-2011
Posted on Wednesday, November 23, 2011 - 08:45 pm:   

Hi Des, thanks for the response!

That one seems to be a good aproach, however, due that the web server used by NowSMS is a blackbox, it had been hard for me to capture de username and password from the session, or the headers (I'd tried both with php, js) and pass it to the other webpage references.
Do you have any idea about how to do this? Or even better, an example of this option working?

Let's say for instance, that I want to load the default.htm page by setting the frames reference in this way..


<frameset framespacing=0 frameborder=0 border=0 cols="233,1*">
<frame name=LeftFrame src="http://username:password@host:8800/TOCFrame.htm" style='mso-linked-frame:auto'>
<frame name=MainFrame src="http://username:password@host:8800/Send%20Text%20Message.htm" style='mso-linked-frame:
auto'>


Thank you again.
Francisco
New member
Username: Pacolive

Post Number: 5
Registered: 11-2011
Posted on Wednesday, November 23, 2011 - 09:38 pm:   

Maybe some @@Username@@ variable is available? I'd also tried this one but doesn't work.
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 3617
Registered: 08-2008
Posted on Thursday, November 24, 2011 - 03:23 pm:   

Hi Francisco,

Unfortunately, I can't think of any other way to do it.

The issue is that NowSMS requires authentication for each request. So you can submit a single request, but any href links in the response will not include re-auth information.

The only solutions for the type of scenario that you describe that I can think of would be:

1.) Users do not interact directly with NowSMS web interface. Your scripts/pages perform HTTPWebRequest on behalf of your users and hide NowSMS completely.

2.) It is more difficult if you want to provide a wrapper for the whole interface, which is what we were discussing above. I'm not even sure my previous suggestion would work because you would also have to deal with form submissions.

Here's the modifications that would be required for the initial default.htm:

<frameset framespacing=0 frameborder=0 border=0 cols="233,1*">
<frame name=LeftFrame src="http://host:8800/TOCFrame.htm?user=username&password=password" style='mso-linked-frame:auto'>
<frame name=MainFrame src="http://host:8800/Send%20Text%20Message.htm?user=username&password=password" style='mso-linked-frame:
auto'>

However, even if you add that, the next problem is that the username and password are not included in form submissions for actually sending a message.

To handle this, you'd need to look for </form>, and before the end of the form, add:

<input type="hidden" name="user" value="yourusername">
<input type="hidden" name="password" value="yourpassword">

But even this is only going to work for the very next request only.

If your server/script is not involved in wrapping each request, NowSMS is not going to keep adding this information for subsequent requests.

The better solution would be to replace "http://host:8800/" with "http://yourserver/yourscript"

yourscript would act as a wrapper ... take whatever GET or POST submission was passed to it, and forward it to NowSMS, adding user=username and password=password to the query parameters.

All in all, it is a very difficult task.

NowSMS was not designed with the thought of facilitating #2.

If you can work within the limitations of #1, that is what I would recommend.

--
Des
NowSMS Support