WebApp Sec mailing list archives
RE: ASP authentication
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Wed, 1 Sep 2004 09:52:26 +1200
Some link like the one below should be far better for a beginner in ASP authentication. Good basics are given: . . - use of includes ...which is fare closer to what commercial web applications provide today. A simple ASP authentication system
http://www.kamath.com/tutorials/tut003_auth.asp is a good example of a Textbook SQL injection vulnerability. ------------------------------------------------ ' Now it's time for the query. We need to check the user information ' against the table tUsers Cm.CommandText = "SELECT * FROM tUsers WHERE " & _ "UserName='" & Request.Form("UserName") & "' AND " & _ "UserPassword='" & Request.Form("UserPassword") & "' " ' Set the query type. 1 means it is a SQL statement Cm.CommandType = 1 ' Retrieve the results in a recordset object Set Rs = Cm.Execute ------------------------------------------------ Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com -----Original Message----- From: Saphyr [mailto:saphyr () infomaniak ch] Sent: Tuesday, 31 August 2004 6:57 p.m. To: webappsec () securityfocus com Subject: Re: ASP authentication
Though I despise ASP (I prefer Python or PHP or even Perl), here are a few ASP-relevant sources of information on single sign-on using sessions. This one is a tutorial intended to teach ASP, but it covers an "extended member's area" which uses some single sign-on techniques. http://www.theukwebdesigncompany.com/article.php?id=392
Ido, and list, Reading the link you provided made clearly understand one among the reasons you might 'dispise' ASP. As an ASP developer myself, I must react about the link you just provided in order to help Benoni about some authentication shemes examples. If you read the article, you will see the author has implemented at least two major critical flaws in his authentication sheme: - user credentials (login and password) are directly hard-coded into the source scripts. - the authentication logic flow is based upon a cookie value, a sensitive data repository highly vulnerable to spoofing (pretending you're someone or something you aren't) and sniffing (listening to a communication from a point between the 'speaker' and the 'listener') techniques. Any professional having a minimal authentication and secure web development culture knows such example should never be implemented in a real world application because of its almost-inexistent security level. Although your answer telling what sessions are made of and how they work was a really good reading, the examples you provided shouldn't even be linked somewhere on the net. Sorry for the author if he reads this... Did you at least read the link you provided ? Some link like the one below should be far better for a beginner in ASP authentication. Good basics are given: - use of includes - use of session based authentication - use of database stored credentials ...which is fare closer to what commercial web applications provide today. A simple ASP authentication system http://www.kamath.com/tutorials/tut003_auth.asp Best regards, .antoine -- Blog Dev et Sécu Web (Swiss blog about Web Security and Development) http://www.nxtg.net/is/ ###################################################################### CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ######################################################################
Current thread:
- ASP authentication Bénoni MARTIN (Aug 27)
- Re: ASP authentication Erik Kangas (Aug 27)
- Re: ASP authentication saphyr (Aug 28)
- Re: ASP authentication security (Aug 29)
- Re: ASP authentication George Capehart (Aug 30)
- Re: ASP authentication Ido Mordechai Rosen (Aug 30)
- Re: ASP authentication Saphyr (Aug 31)
- RE: ASP authentication Brett Moore (Sep 01)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- Re: ASP authentication Saphyr (Aug 31)
- <Possible follow-ups>
- RE: ASP authentication Zuech, Richard (Aug 27)
- RE: ASP authentication focus (Aug 28)
- RE: ASP authentication pfeito (Aug 29)
- RE: ASP authentication focus (Aug 29)
- Re: ASP authentication Ido Mordechai Rosen (Aug 31)
- RE: ASP authentication Sarbjit Singh Gill (Aug 29)
- Re: ASP authentication Erik Kangas (Aug 27)
- FW: ASP authentication Rishi Pande (Aug 27)
- RE: ASP authentication Scovetta, Michael V (Aug 31)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)