In a deployment set up correctly for IWA authentication, if an upstream OCS presents HTTP status code 407 "Proxy authentication required", the browser automatically attempts an NTLM or Kerberos authentication when the site is in the browser's Local Intranet or Trusted Sites zone and the user is currently logged in to the Windows domain. The browser uses the user's domain and credentials for authentication. The vulnerability can be exploited when the browser is configured for explicit proxy, as follows:
Scenario 1: The user is logged in to the domain
The browser assumes the 407 challenge originated from the ProxySG appliance. Because the browser implicitly trusts the proxy, the user does not see an authentication prompt and the browser attempts authentication with the user's credentials.
Risk: The browser forwards credentials to the malicious OCS without the user’s knowledge.
Scenario 2: User is not logged in as a domain user, or is using a workstation not in the domain
The user receives an authentication prompt.
Risk: The user could be misled into thinking that the malicious 407 challenge is legitimate (originating from the ProxySG appliance) and enter their credentials.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.