FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Security; Form Spoofing





cr3ativ3
Ok, a while ago I started using a method of which a login form collects the user's password which is then hashed using js then sent over to the server to be compared to hash of the real password. This was to act similar to SSL, although after thinking about it if someone intercepted this hash then they would be able to create there own form and send this hash to the server and would be allowed in.

I am looking for a method by which the data that will be processed the username and password have to come from the form designed for the login and not be worked around.

I assume maybe some referrer checking would be required but that's not full proof. And salting wouldn't really work here I am guessing.

I hope I wasn't to confusing lol.

[edit]Made some changes to the first paragraph.[/edit]

Thanks,
Aaron
SonLight
I think I understand what you want to do all right. The short answer is that you can't have security unless you transfer securely. However, there are surely a number of ways you can make it less likely that someone would spoof the login. In all cases, if they get full access to the server and can change scripts, then all bets are off.

You're right about checking the referrer being helpful. I don't see an easy way around that for the imposter, but it could surely be faked via a low-level tcp program. Since you're already using an uncommon method for security, those two items would stop most attackers.

One additional suggestion would be to use some kind of "checksum" calculated by the form -- possibly passing part of the calcutation as part of the page and having the javascript calculate part. Elements to include are time of day and client IP.
cr3ativ3
Ya, your right if an attacker has access to the file system then there's nothing stopping them really from getting to or doing whatever they want.

Although I think I may have mis worded it I mean like it's working sorta like ssl so the attacker who intercepts the transmission between the client and the server see's the hashed pass right? Now that attacker can use another form to send the hash to server which will let the attacker in. Now while we are on this problem doesn't ssl suffer the same problem?
SonLight
cr3ativ3 wrote:


Although I think I may have mis worded it I mean like it's working sorta like ssl so the attacker who intercepts the transmission between the client and the server see's the hashed pass right? Now that attacker can use another form to send the hash to server which will let the attacker in. Now while we are on this problem doesn't ssl suffer the same problem?


Right, we're definitely talking about what cryptanalysts call man-in-the-middle attacks, and I only mentioned breaking into the site because I was not sure if you were worried about that. In some cases of site break-in, it may still be worth trying to minimize the damage, but it's generally harder to analyze.

I applaud you for thinking of trying to get some of the benefit of SSL with an open channel. There is an important distinction, because none of the details of the form layout, etc. can be seen by a man-in-the-middle with SSL unless the code is broken. You could of course add more of the message to your hashing, but when you got through it could be as complex as SSL and an attacker can still read your javascript code.

I would suggest reading about using salt, and possibly two hash methods, since one will be exposed in the javascript. You could generate a permission key with each form sent, which is only usable once, but that would be a lot of overhead.
cr3ativ3
SonLight wrote:
cr3ativ3 wrote:


Although I think I may have mis worded it I mean like it's working sorta like ssl so the attacker who intercepts the transmission between the client and the server see's the hashed pass right? Now that attacker can use another form to send the hash to server which will let the attacker in. Now while we are on this problem doesn't ssl suffer the same problem?


Right, we're definitely talking about what cryptanalysts call man-in-the-middle attacks, and I only mentioned breaking into the site because I was not sure if you were worried about that. In some cases of site break-in, it may still be worth trying to minimize the damage, but it's generally harder to analyze.

I applaud you for thinking of trying to get some of the benefit of SSL with an open channel. There is an important distinction, because none of the details of the form layout, etc. can be seen by a man-in-the-middle with SSL unless the code is broken. You could of course add more of the message to your hashing, but when you got through it could be as complex as SSL and an attacker can still read your javascript code.

I would suggest reading about using salt, and possibly two hash methods, since one will be exposed in the javascript. You could generate a permission key with each form sent, which is only usable once, but that would be a lot of overhead.


If I understand this correctly what I should do is when the page form gets called generate a random key store it in a session variable or something then hash the pass in the form add the salt to the hash and then hash it again. Then send it over have the same thing happen on the server and then compare the two?

But I would have to also store the key in the form as a hidden field or a cookie in which case the "middle man" will see this key. He will then be able to, wait he wouldn't be able to find the hash of the original password or the original password making the key useless to him?

So this would be full proof to an attack from a middle man? With the exception of a brute force style attack?
cr3ativ3
Ok, based on he information above I have made a script which I will share with everyone. It's just the basics of a php login script using the information above.

If anyone would like the code just message me.
Related topics
Spoofing in Mozilla ( FireFox) browser flaw
Microsoft set to test security software
[PHP/security] sending content over SSL
[Official] Security: Anti-Spyware/Virus, & Firewall
PHP Forms security
simple form security!
anyone know of a good php form processer script
Web form to save HTML table as spreadsheet
Wanting a PHP input security script: up to 1200frih$!
AJAX and PHP contact form
Contact Form prob
How to build simple PHP upload form
100 days free licence for Kaspersky Internet Security 2009
asp.net email form
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.