hiprakhar Posted August 6, 2010 Share Posted August 6, 2010 hi, Hi have a web application www.prakhargoel.com/projects/lms/ that is used by students for logging and requesting a computer system in the internet lab. There is a corresponding labadmin at www.prakhargoel.com/projects/lms/labadmin. Though I tried to make this web app as secure as possible, there might be some shortcomings in the security which could be used by hackers. Please analyse the vulnerabilities and tell where I need to improve. If anyone needs, I can provide the php code for further testing. I have: 1) applied sha1 encryption to all passwords. 2) timeout sessions 3) sql injection filters, etc Quote Link to comment Share on other sites More sharing options...
trink Posted August 6, 2010 Share Posted August 6, 2010 Passwords are only encrypted via SHA1, or is there something else in there to strengthen the digests? Quote Link to comment Share on other sites More sharing options...
hiprakhar Posted August 6, 2010 Author Share Posted August 6, 2010 Passwords are only encrypted via SHA1, or is there something else in there to strengthen the digests? No passwords are only encrypted via SHA1. Before saving to the database, the sha1 is calculated from the POST data. For authentication, the sha1 passwords from db is matched with the sha1 of the entered password at runtime. I think sha1s are sufficiently difficult for anyone trying to hack and untangle the passwords. Given that sha1 is one sided function. Quote Link to comment Share on other sites More sharing options...
meltingpoint Posted August 7, 2010 Share Posted August 7, 2010 I would also be interested if there is a company or legitimate individual out there (who is known by and recommended by this board) that would evaluate and or attempt to hack my website to see if it has vulnerabilities. Is there such a service? Quote Link to comment Share on other sites More sharing options...
Onloac Posted August 7, 2010 Share Posted August 7, 2010 Yeah, I always liked the idea of having someone purposely attack my site to see where my weak points are. I'm no where near advance programmer so I know I have lots of flaws people could use against me. Only problem is finding someone you can trust... someone who won't take advantage of the situation. Quote Link to comment Share on other sites More sharing options...
PradeepKr Posted August 8, 2010 Share Posted August 8, 2010 Check list 1) use mysql_real_escape_string() when user input is used in SQLs. 2) use escapeshellcmd() or escapeshellarg() when user input is used in system/exec/ commands etc 3) type cast input values. Like rollnumber should be integer so $rollno = (int)$_REQUEST['rollno'] 4) keep input values' length within the limits eg a user name should not be more than 100 chars etc. 5) hardcode SQL statements as much as possible. eg. select * from students where $_REQUEST['userinput'] not good. Make it select rollno, name, class from students where id=(int)mysql_real_escape_string($_REQUEST['userinput']) 6) use captcha or other ways (like asking what is 2+6,of course change the numbers on each refresh) to ensure user is human being and not a sricpt. 7) use post instead of get use session variable names which are tough to know. eg $_SESSION['id'] is not good, $_SESSION['iet7hsid98k'] is good Quote Link to comment Share on other sites More sharing options...
trink Posted August 8, 2010 Share Posted August 8, 2010 Assuming SHA1 is secure on its own is very very bad practice, let alone an all-around horrible idea, and that goes with any hash function. First off, SHA1 has already been broken, collisions can be made, there are also rainbow tables out there. Not only this, but I would always suggest making the string to be hashed larger than the resulting digest. Since you know the size of the resulting digest (SHA1 is 140-bit) I'd suggest creating some sort of salt in there, some key to strengthen the resulting digest. $key = 'jfioepafipo4jeigphaue4gfASE$*(GTA)($GFAUEW$I)GFAHEPGdrjsiv;arshvuialnuiafhuaiewpguzdjlgvd;'; //random 632-bit string because I'm paranoid $hash = sha1($key.$input); To compare just use the same key. Quote Link to comment Share on other sites More sharing options...
hiprakhar Posted August 11, 2010 Author Share Posted August 11, 2010 Check list 1) use mysql_real_escape_string() when user input is used in SQLs. 2) use escapeshellcmd() or escapeshellarg() when user input is used in system/exec/ commands etc 3) type cast input values. Like rollnumber should be integer so $rollno = (int)$_REQUEST['rollno'] 4) keep input values' length within the limits eg a user name should not be more than 100 chars etc. 5) hardcode SQL statements as much as possible. eg. select * from students where $_REQUEST['userinput'] not good. Make it select rollno, name, class from students where id=(int)mysql_real_escape_string($_REQUEST['userinput']) 6) use captcha or other ways (like asking what is 2+6,of course change the numbers on each refresh) to ensure user is human being and not a sricpt. 7) use post instead of get use session variable names which are tough to know. eg $_SESSION['id'] is not good, $_SESSION['iet7hsid98k'] is good Thanks for the reply. 1) mysql_real_escape_string() is already implemented. Earlier I used the function to escape quotes and other special chars 2) No the user input is not used in linux commands. 3) Yes I have sanitized all incoming data from user via POST/GET according to its type. 4) Same as above 5) I will work on this. Many SQL statements are not hardcoded. thanks! 6) Its a LAN based application so I know all users are real and not bots floating on net. Hence I have not implemented captcha. 7) POST is always the preferred option I will work on session variables too. thanks! @trink Thanks for the suggestion I will implement it. Although sha1 has been breached but thats still remote in without specialized equipments. I think I will make some innovative $key based on some distinct and creative values for each user to further strengthen hash. Thanks! Any more suggestions for php website security? I was reading joomla and wordpress pages and I liked the idea of using die() at slightest hacking doubts. Please share more vulnerabilities that are encountered in other php projects. ps: Inadvertently I made a smiley while typing "8 )" !! Quote Link to comment Share on other sites More sharing options...
AdRock Posted August 11, 2010 Share Posted August 11, 2010 I would also be interested if there is a company or legitimate individual out there (who is known by and recommended by this board) that would evaluate and or attempt to hack my website to see if it has vulnerabilities. Is there such a service? My mate who went to Exeter University now works for a company called 'Transition Consulting Limited (TCL)' who are based on uni campus and they do software testing and i'm pretty sure they test websites for vulnerabilities. He told me there was a lecture when he was there given by a member of TCL staff to show how websites can be hacked. It might be worth checking them out Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.