Login Security

[gevans]

Hey guys,

 

Only looking at getting the login page tested, link to follow;

 

http://projects.purplecoffee.co.uk/outdoorguernsey/public_html/admin

 

Just for your information it's an ajax request to login so a mod like SQL Inject Me will probably receive 404 Not Found errors on execution.

 

Thanks guys, and I hope you find nothing, but please tell me anything!

[darkfreaks]

actually XSS ME addon in firefox returns 404's i can run SQL Inject me and it returns 13 SQL attacks i would reccomend using mysql_real_escape_string(),trim() then use MYSQLI/PDO Prepared statements to weed out the rest of the injection

 

 

[darkfreaks]

Preventing PHPSESSID Attacks & Session Fixation, Preventing CSRF(cross site request forgery) Attacks

[gevans]

A lot of the errors return due to it being ajax and not actually properly testing via the addon.

 

As far as I'm aware I've done everything to secure the login.

 

The password is salted and hashed. The username is cleaned with real_escape_string(). I don't use trim. If the user puts spaces into the start or end of the username then it's wrong.

 

For me SQL Inject me returns 51 failures (as mentioned) and 0 Errors.

 

Thanks for the reply

[darkfreaks]

might want to read up on PHPSESSID attacks  you have alot of those if you download the access me plugin in firefox

 

and like i said before PDO prepared statements will weed out the injection

[gevans]

Could you explain some of these to me?

 

Attack Details:

    * Input Parameter: PHPSESSID
    * HTTP Method: SECCOMP

The attacked page is dangerously similar to the original page. It is 100% similar. Got access to a resource that should be protected. Server response code: 200 OK. 

 

Attack Details:

    * Input Parameter: PHPSESSID
    * HTTP Method: HEAD

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 1.156% similar. 

[darkfreaks]

Input Parameter: PHPSESSID

This is mainly the result of a hidden input or an input not being validated properly if at all

 

 

[gevans]

I'm not going to lie, I'm a bit confused now. Done a bit of reading and covered some things that I already do.

 

session id is regenerated on each page.

the session cookie is only accessible over http

 

What am I missing, any advice on fixes?

[darkfreaks]

removing PHPSESSID

[gevans]

I did look at them, I've already covered the mentioned security methods that are available to me

[darkfreaks]

i changed my post sorry LOL

[gevans]

That's turned off both locally and in my production environment

[darkfreaks]

what is mod rewrite? they also have a PHP code that uses the GET method and uses regex to replace PHPSESSID?=  with just the file name.

[gevans]

#Direct redirect
RewriteRule ^home$ index.php [L,NC]

#Admin goes through admin.php
RewriteRule ^admin$ admin.php [L]
RewriteRule ^admin/([a-z0-9-]+)$ admin.php?para1=$1 [L]
RewriteRule ^admin/([a-z0-9-]+)/([a-z0-9-]+)$ admin.php?para1=$1&para2=$2 [L]
RewriteRule ^admin/([a-z0-9-]+)/([a-z0-9-]+)/([a-z0-9-]+)$ admin.php?para1=$1&para2=$2&para3=$3 [L]

#Pages goes through index.php
RewriteRule ^([a-z0-9-]+)$ index.php?para1=$1 [L]
RewriteRule ^([a-z0-9-]+)/([a-z0-9-]+)$ index.php?para1=$1&para2=$2 [L]

[darkfreaks]

How Access me works,Access me FAQ

[gevans]

I've had a read.

 

Every page that can be accessed via /admin will return 200 OK becuase it will load the login page from its current location (if the user isn't logged in)

 

for example

 

http://localhost/outdoorguernsey.co.uk/site/public_html/admin/more/andmore

 

returns 200 OK as it displays the login page also.

[darkfreaks]

that doesnt explain why it returns failures like INPUT PHPSESSID and SECCOMP

[gevans]

I'm not getting my head around why I'm getting

 

INPUT PHPSESSID and SECCOMP

 

Apart from the steps taken already, what can I do to stop this, and can you explain further what it actually means. I'm finding it difficult to secure something I'm not understanding.

[darkfreaks]

they were talking about the OWASP ESAPI toolkit on there site so i will link you maybe you could use it.

 

 

 

[gevans]

Thanks for everythigg so far, I'll take a look.

[gevans]

Got access to a resource that should be protected. Server response code:200 OK.

The attacked page is not very similar to the original page. It is 41.5%

similar.

 

The Input Parameter is telling you the name of the parameter that was dropped for the session while the HTTP Method is the name of the HTTP method that was sent with the request.

 

From the paragraph on the end we can see that we were able to access the protected page, with the server returning a 200 OK status code. We can also see that the returned page had low (41.5%) similarity to the page we requested from.

 

This is from the websites FAQ. In the final explination;

 

From the paragraph on the end we can see that we were able to access...

 

It says it has managed to access the protected page. You may have to correct me here. But each page I have runs through a single php page. So it will always return 200 OK but printing the login form!?

[darkfreaks]

To prevent network sniffers from scooping up session IDs, session-specific traffic should be sent over SSL. You don't need to do anything special to PHP when you're using an SSL connection, but you do need to specially configure your webserver.

 

also you could install mod security if you have a dedicated server.

[gevans]

Shared hosting... I really try to avoid the SSL that they offer, it looks messy as its a crazy URI and I'm not 100% sure of the implications of having a shared SSL.

[gevans]

I'm not convinced with the access me addon, I haven't found a single site that doesn't bring up and error or warning

 

http://www.facebook.com/index.php :: Http Method

Attack Details:

 

    * HTTP Method: SECCOMP

 

The attacked page is dangerously similar to the original page. It is 98.58% similar. Got access to a resource that should be protected. Server response code: 200 OK.

http://www.facebook.com/index.php :: Http Method

Attack Details:

 

    * HTTP Method: HEAD

 

Got access to a resource that should be protected. Server response code: 200 OK. The attacked page is not very similar to the original page. It is 0.226% similar.

 

Sorry for the default example, but come on.... I don't see anyone hacking facebook. And if it was possible it would've happened by now.

[darkfreaks]

wrong postlol