Is basic authentication useful against automated attacks (e.g. those
attacks using buffer overflows).  

Regards,
Bulent

It depends if the buffer overflow occurs in a component that's invoked
before/after the Authentication process is invoked.

If there's a buffer overflow in the TCP/IP stack, then that can be exploited
before IIS even sees the request.

Cheers
Ken


Show quoteHide quote

Ken,

Thank you for your quick response.

I assume that a much greater number of components would be involved
"after" the authentication process.  If this assumption is correct, is
it fair to say that basic authentication (with SSL) would minimise the
risk of such attacks (buffer overflow) being successful.

Thanks again,
Bulent

Yes.  Anything that prevents the payload from getting to the vulnerable
component would help.

So, requiring SSL would stop any attack that only operated over HTTP
Using Host-Headers would stop any attack that didn't supply a Host: HTTP
header
Using Basic Auth (or any Auth) would stop attacks that couldn't supply a
username/password

All of this does assume that the affected component is after the barrier.

Mostly this will stop automated attacks - manual attacks are a different
matter (but generally manual attacks would be directed against valuable
servers, not a server you might have sitting at home running your personal
website).

Cheers
Ken

This is the answer I needed.

Thank you very much.

Word 2003 cannot save files to http://host/site/folder/file.doc
IIS 7 default setting
Post Image Data to Server from embedded user control in IE
IE prompts for a password when using anonymous authentication
Web services difficulties
Application Pool without Anonymous Access
List of all SSL pages
NT Authentication - 2nd challenge/response
HTTP to HTTPS specified request cannot...from current Application
IIS 5 belonging to domain?