Can Javascript do Basic Auth in IE6?

Discussion in 'Javascript' started by Dave, Jun 14, 2005.

  1. Dave

    Dave Guest

    A microsoft security patch disabled URLs of the format

    http://username:/someresource

    There are programmatic ways to get around this but I can't find an
    example in Javascript.

    I've seen the msdn knowledge base article on the subject

    http://support.microsoft.com/kb/834489/

    The registry hack is no good for customers. We can't make them edit
    their registry.

    I think it is possible to access an ActiveX object that will allow the
    username and password to be set programatically.

    Under IE Javascript is capable of handling ActiveX objects. Is it
    possible to access sites with Basic Auth by allowing Javascript to set
    the username and password?

    Example code would be great.

    Thanks for any help!
     
    Dave, Jun 14, 2005
    #1
    1. Advertising

  2. In article <>,
    noemail@anyaddressiown_invalid.com says...
    > A microsoft security patch disabled URLs of the format
    >
    > http://username:/someresource
    >
    > There are programmatic ways to get around this but I can't find an
    > example in Javascript.
    >
    > I've seen the msdn knowledge base article on the subject
    >
    > http://support.microsoft.com/kb/834489/
    >
    > The registry hack is no good for customers. We can't make them edit
    > their registry.
    >
    > I think it is possible to access an ActiveX object that will allow the
    > username and password to be set programatically.
    >
    > Under IE Javascript is capable of handling ActiveX objects. Is it
    > possible to access sites with Basic Auth by allowing Javascript to set
    > the username and password?


    Possibly, but what security is there in sending usernames and passwords
    to the client, in clear text?

    --
    Hywel

    Kill the Crazy Frog
    http://www.petitiononline.com/crzyfrg/
     
    Hywel Jenkins, Jun 15, 2005
    #2
    1. Advertising

  3. Dave

    Dave Guest

    Not bullet proof but that is the way some resources protect themselves.

    It's still an improvement because the username and password don't appear
    in the source of the webpage.

    So now, if you want to steal the usename and password you need a proxy
    or packet sniffer, not just a browser with a "View Source" option.

    In anycase, do you have any information on how it's done?


    In article <>,
    says...
    > In article <>,
    > noemail@anyaddressiown_invalid.com says...
    > > A microsoft security patch disabled URLs of the format
    > >
    > > http://username:/someresource
    > >
    > > There are programmatic ways to get around this but I can't find an
    > > example in Javascript.
    > >
    > > I've seen the msdn knowledge base article on the subject
    > >
    > > http://support.microsoft.com/kb/834489/
    > >
    > > The registry hack is no good for customers. We can't make them edit
    > > their registry.
    > >
    > > I think it is possible to access an ActiveX object that will allow the
    > > username and password to be set programatically.
    > >
    > > Under IE Javascript is capable of handling ActiveX objects. Is it
    > > possible to access sites with Basic Auth by allowing Javascript to set
    > > the username and password?

    >
    > Possibly, but what security is there in sending usernames and passwords
    > to the client, in clear text?
    >
    >
     
    Dave, Jun 15, 2005
    #3
  4. Dave

    Nathan Guest

    Do it on the server.

    Best way to lock it down is by having either a server-side script to do
    authorization, or use a .htaccess file (Apache) to prompt.
     
    Nathan, Jun 15, 2005
    #4
  5. Dave

    Dave Guest

    In article <>,
    says...
    > Do it on the server.
    >
    > Best way to lock it down is by having either a server-side script to do
    > authorization, or use a .htaccess file (Apache) to prompt.
    >
    >

    Our servers may not have access to the protected resource due to our
    customers network topology, firewalls or whatever.

    We ned to produce a page that will give our customers direct accccess to
    Basic Auth resources. We can't always do it on the server.

    In anycase, I finally figured out the code and I'll post the answer
    later.
     
    Dave, Jun 15, 2005
    #5
  6. Dave

    Dave Guest

    Yes it can, in at least one way:

    function getDoc(url,username,password){
    var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");

    WinHttpReq.Open("GET", url, false);
    WinHttpReq.SetCredentials(username,password,0);
    WinHttpReq.Send();
    if (WinHttpReq.Status==200){
    document.write(WinHttpReq.ResponseText);
    }

    The above javascript method seems to successfully get a password
    protected resource in IE6 that used to be accessible through a URL of
    the format

    http://username:/someresource

    before.

    any obvious problems with the code?



    In article <>,
    noemail@anyaddressiown_invalid.com says...
    > A microsoft security patch disabled URLs of the format
    >
    > http://username:/someresource
    >
    > There are programmatic ways to get around this but I can't find an
    > example in Javascript.
    >
    > I've seen the msdn knowledge base article on the subject
    >
    > http://support.microsoft.com/kb/834489/
    >
    > The registry hack is no good for customers. We can't make them edit
    > their registry.
    >
    > I think it is possible to access an ActiveX object that will allow the
    > username and password to be set programatically.
    >
    > Under IE Javascript is capable of handling ActiveX objects. Is it
    > possible to access sites with Basic Auth by allowing Javascript to set
    > the username and password?
    >
    > Example code would be great.
    >
    > Thanks for any help!
    >
     
    Dave, Jun 16, 2005
    #6
  7. Dave

    Grant Wagner Guest

    "Dave" <noemail@anyaddressiown_invalid.com> wrote in message
    news:...
    > Yes it can, in at least one way:
    >
    > function getDoc(url,username,password){
    > var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    >
    > WinHttpReq.Open("GET", url, false);
    > WinHttpReq.SetCredentials(username,password,0);
    > WinHttpReq.Send();
    > if (WinHttpReq.Status==200){
    > document.write(WinHttpReq.ResponseText);
    > }
    >
    > The above javascript method seems to successfully get a password
    > protected resource in IE6 that used to be accessible through a URL of
    > the format
    >
    > http://username:/someresource
    >
    > before.
    >
    > any obvious problems with the code?


    Any obvious problems with the code other than the fact that if you
    include the code on a page on your Internet site and attempt to browse
    the site with Internet Explorer in the default configuration you get an
    "Automation server can't create object" error?

    --
    Grant Wagner <>
    comp.lang.javascript FAQ - http://jibbering.com/faq
     
    Grant Wagner, Jun 24, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    759
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    608
    Elton Wang
    Jan 8, 2005
  3. Mark Chai
    Replies:
    1
    Views:
    754
    Christophe Vanfleteren
    Oct 1, 2003
  4. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    475
    Chris Mohan
    Apr 29, 2004
  5. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    262
    Hernan de Lahitte
    May 3, 2005
Loading...

Share This Page