I am blackbox testing a vulnerable website. The website in question is accessed using HTTP and to reach its content one is prompted with a field to enter the password (presumably set by the admin) at the homepage. If I enter a wrong password, I get the "incorrect password" notification.
However, after entering the URI path /index.html, the content is seen, without entering any password. If I click any link there and get referred to a http://ift.tt/1vJXsHx, I get prompted with the authentication field again but if I replace .php with .html, I see the content that is supposed to be password protected. I am also allowed to access the images directory.
From development point of view, what is done wrong here that allows to bypass the authentication and how should it be fixed?
Aucun commentaire:
Enregistrer un commentaire