WebApp Sec mailing list archives
Re: Login credentials and session id security
From: Shaon Diwakar <shaon.diwakar () yahoo com au>
Date: Fri, 15 Jun 2007 04:37:22 -0700 (PDT)
Hi, Hashing a users password protects against the transmission of sensitive data in clear text (accidental or otherwise) - again, it is simply one of several controls/safeguards developers can employ to discourage attacks by a malicious individual (I agree however that it does not provide any 'real' security on the clients side - as keystrokes are easily logged and memory easily analysed). Using HTTPS on logon pages reduces the likelihood of that users password/user id being captured in transit - however if an attacker were savvy enough to for example 'suck packets out of a proxy' - they would have already won - that is to say, they would already have that users session ID (assuming again that transmission was done over an unencrypted channel) and it would simply be a matter of replaying that session cookie back to the application server (while the session remains active) to gain access to that web application. Web applications are stateless, so the only way for an application server to know who you are is through your session ID. Thus it is important that all efforts be directed towards safe guarding a users session ID - be it using hashing, using tokens or some other mechanism. Cheers, sHz ----- Original Message ---- From: James Landis <jcl24 () cornell edu> To: scottsanchez () gmail com Cc: Vishal Garg <vishal () firstbase co uk>; webappsec () securityfocus com Sent: Tuesday, 12 June, 2007 12:27:56 AM Subject: Re: Login credentials and session id security Theoretically, this adds no security. In practice, however, it might actually provide some security. If the attacker is just trolling for arbitrary plaintext usernames/passwords in POST requests, encrypting the password on the client side before sending it will defeat him. If the attacker is specifically trying to capture the password for your site, he will likely be able to capture the secret sent to the client in order to encrypt the password. As usual, there are probably better ways to invest your development time to improve the security of the app. -j On 6/8/07, Scott C. Sanchez <scottsanchez () gmail com> wrote:
I don't see how salting or hashing the password in the client prior to submitting it will make it more secure. Anyone savvy enough to suck your packets out of the proxy and make sense of them would just look at the login page to find the key for the hash or salt. One time passwords or a token-based solution like securid or mypw are your best solution IMO. -Scott
------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Re: Login credentials and session id security, (continued)
- Re: Login credentials and session id security Dean H. Saxe (Jun 08)
- Re: Login credentials and session id security Aman Raheja (Jun 10)
- Re: Login credentials and session id security Dean H. Saxe (Jun 08)
- Re: Login credentials and session id security James Landis (Jun 08)
- Re: Login credentials and session id security David Wall (Jun 10)
- Message not available
- Re: Login credentials and session id security Vishal Garg (Jun 08)
- Re: Login credentials and session id security matt farey (Jun 10)
- Re: Login credentials and session id security Scott C. Sanchez (Jun 10)
- Re: Login credentials and session id security James Landis (Jun 11)
- Re: Login credentials and session id security Vishal Garg (Jun 08)
- RE: Login credentials and session id security Abhishek Kumar (Jun 08)
- Re: Login credentials and session id security Shaon Diwakar (Jun 08)
- Re: Login credentials and session id security Shaon Diwakar (Jun 21)