0. Introduction

This is a quick note on HTTP authentication mechanisms and the way
they are implemented by Nessus. 

The standard mechanisms are:
  1. Basic authentication
  2. Digest authentication
  3. X.509 client certificates
And we may add:
  4. NTLM authentication
  5. HTTP login form
  6. .NET framework

1. Basic authentication

When the client requests a protected page, the server answers with a
401 code which includes a "realm". The client must send back a
username and password valid for this realm.
This method is insecure because the data is just base64-encoded, so
it can be sniffed and replayed. HTTPS/SSL is good enough to protect
the communication when a higher level of security is required.

Nessus implementation is simple and limited:
- we do not support multiple realms.
- The base64 encoded string username:password is computed by
  logins.nasl, stored in the KB as "http/auth" and sent with any
  request, without waiting for the 401 code

2. Digest authentication

It is defined by RFC 2069. 
The server 401 answer includes a random challenge. The client sends
back a hash of the password and the challenge (and a few other
things). 
Although the data may be sniffed, it cannot be played back easily.

This method is much safer, but it is implemented in different ways by
Netscape or Internet Explorer. So there is a portability problem, and
most servers which support it although support the basic
authentication. 

Nessus does *not* support digest authentication yet.

3. X.509 client authentication

This concerns HTTPS only and is done in two steps:
a) the client certificate must be accepted by the SSL layer (signed by
   a trusted CA, still valid...)
b) the web server may check the DN or some other certificate fields
   and allow or deny access according to those values.

This is supported by Nessus, as you can upload a client certificate
(it will be used by any SSL connection)

4. NTLM authentication

A complex brain-damaged variant of the digest authentication.
Nessus does not support it, but we should work on it, as it is common.

5. HTTP login form

A classical way to connect to an application is to fill a form, and in
reply the server returns a session ID as a cookie or inside the URL.

Nessus implements a limited support:
- only the cookie method.
  The full cookie line is stored in the KB as http/auth/1234 (where
  1234 is the port number), and sent back with every request.
- Nessus first visits (GET) a "login page" and keep the "Cookie" line.
  (some systems rejects the authentication because they test if Cookie
   are enabled)
- Then the form is POSTed and encoded as application/x-www-form-urlencoded
  The Referer field is set to the "login page".

6. .NET framework

[TBD]

(C) 2002 Michel Arboi <arboi@alussinan.org>
