Solved

Bypass a web application's login page! Urgent

Posted on 2004-10-24
2,003 Views
Last Modified: 2012-08-14
Hi,

I have a web app that uses session authentication. Someone has sent me an email with some data from inside this web app, and he claims that he bypass the login page very easily.
How can he do so ? and how do I prevent him and anyone else doing this again?

I'd be very grateful if someone could help.

0
Question by:gloriousamjad
    20 Comments
     
    LVL 26

    Expert Comment

    by:Rejojohny
    >>uses session authentication
    what do u meant by session authentication? what does ur login page do and how are the other pages validating if the user has logged on or not? do u mean that u store values in the session and check for them in the other pages? could u post the relevant codes ..
    0
     
    LVL 28

    Expert Comment

    by:sybe
    There is a (recently published) vulnerability in dot.net that seems to do just that. Are you using dot.net?
    0
     
    LVL 28

    Expert Comment

    by:sybe
    0
     
    LVL 3

    Expert Comment

    by:nan1217
    If your login page is just a form that passes values to a second page and then authenticates them and sets some session variables, then it would be very easy to bypass.  The other guy would just need to setup his own form which submits to that same second page and then he would be authenticated.
    0
     

    Author Comment

    by:gloriousamjad
    My login page is a form that passes the username & password to a validating page in which it validates the username & password in the database, then store them in session variables, and check for these variables in all pages.
    By theway, the code is in ASP not asp.net
    I want to know how to prevent bypassing the login page, and how does the other guy do it?

    0
     
    LVL 3

    Expert Comment

    by:nan1217
    "I want to know how to prevent bypassing the login page, and how does the other guy do it?"

    On the second page which sets the session variables, have a checker at the top that says something like

    If Request.ServerVariables("HTTP_Referer")<>"myloginpage.asp" then
         response.redirect myloginpage.asp
    else
         'continue with form processing
    end if

    0
     
    LVL 14

    Assisted Solution

    by:huji
    nan1217, what you are mentioning is not what I understood from the author's question. I think he says that the guy has PASSED the authentication BY, and not to be doing authentication from outside the author's web site.
    Well, gloriousmjad. Let's start with this: Many hacks are just "social enginereeing"... I mean, you may be tricked! The guy may just have tricked you, to frighten you, or any thing. If this is the case, he/she may try to chat a lot with you, about your security problem, and through this long chat, you may give him/her more information, and help him really hack you somehow.
    This is only an idea.
    A second idea is that the user may have tried some common hacking ideas. For example, I have heard that there is a special term ("' OR 1=1" or something like this, I can not remember it clearly), that can be used to hack sites that simple perform searching in DB with a very simple SELECT statement in SQL string. When that phrase is placed in password, the whole SQL statement will look like:
    SELECT * FROM table WHERE user='jjjkljljlj' AND passowrd='' OR 1=1" and as 1=1 is always through, the user is authenticated!
    So there are several possibilities. I can not tell you "how to prevent him and others from hacking you again" becuase I don't know what the problem is, in your case. I need more information, at least the authentication codes you are using, to try to find any solution.
    Wish I can help
    Huji
    0
     

    Author Comment

    by:gloriousamjad
    Yes Huji, i've seen this "OR 1=1" 1st time I was hacked as the username and password for the user who modified one record in the DB, but the 2nd time he just sent me an email showing data from inside pages where he's not authenticated saying "your authentication mechanism can be avoided and anyone can log in as admin and play with your data"

    Here are my codes

    1) Login Page

    Username:
    Password:

    2)Validation Page

    suser=request("suser")
    spassword=request("spassword")

    ' This part is for database connection and checking for user & password

    SELECT * FROM  Users where username ='"& suser &"' and password ='"& spassword &"'

    if rsCC.EOF then
           session("Authenticated")=0
           response.redirect ("login.asp")
    Else
          session("suser") = request("suser")
          session("spassword") = request("spassword")
          session("Authenticated")=1
          response.redirect ("admin.asp")
    end if

    3) Inside pages

    Response.CacheControl = "no-cache"
    Response.AddHeader "Pragma", "no-cache"
    Response.Expires = -1
    Response.Buffer = True

    If Session("Authenticated") = 0 Then
     Response.Redirect ("../../scholarships/login.asp")
    End If

    if session("suser")="" then
        Response.Redirect "Login.asp"
        Response.End
    end if
    0
     

    Author Comment

    by:gloriousamjad
    actually it's  ' OR ''='
    0
     
    LVL 28

    Accepted Solution

    by:
    If it's that simple, you have ignored the basic rules of building dynamic SQL. Now this guy that hacked you is probably quite friendly, he could have done more harm. The mechanism is called "SQL Injection. It is very easy to prevent this:


    SELECT * FROM  Users where username ='"& Replace(suser,"'","''") &"' and password ='"& Replace(spassword,"'","''") &"'

    and you are done
    0
     
    LVL 26

    Expert Comment

    by:Rejojohny
    SELECT * FROM  Users where username ='"& suser &"' and password ='"& spassword &"'

    ur code is open to "SQL injection" or what we call as "cross scripting" .. what happens if i add in ur login page .. for the login textbox a value "junk' or 1=1 and '' " and for the password " some junk " . so ur sql code will look like

    SELECT * FROM  Users where username = 'junk' or 1=1'' and password ='some junk'

    so ur next line to check EOF will always be correct and ur will be authenticated ...
    0
     
    LVL 26

    Expert Comment

    by:Rejojohny
    use stored procedures instead ...
    0
     
    LVL 26

    Assisted Solution

    by:Rejojohny
    have a look at this link .. basics about how to prevent SQL injection
    http://www.securiteam.com/securityreviews/5DP0N1P76E.html
    0
     
    LVL 28

    Expert Comment

    by:sybe
    @Rejojohny
    Is there anything wrong the solution i proposed (because you keep posting solutions). I think that my solution will block all SQL injection.
    0
     
    LVL 26

    Expert Comment

    by:Rejojohny
    @sybe
    When i posted my comment "12:43PM AST", i had not seen ur comments till then .. as for the other comments .. using SP is much easier than the replace command as there are other ways of SQL injection (other than just using single quotes) .. as for the third comment .. i posted it for "gloriousamjad" .. for his reference to understand the what exactly SQL injection means and how it can preveneted .. if "gloriousamjad" feels my comments are irrelevant, be assured that he will say so ..
    0
     
    LVL 28

    Expert Comment

    by:sybe
    >> using SP is much easier than the replace command as there are other ways of SQL injection (other than just using single quotes)

    * You can argue about it if using an SP is easier, and your database has to support SP's.
    * You suggest that the escaping of single quotes is not enough to prevent SQL injection. I'd like to see how, becuse as far as I know it is safe. I don't see any way to use SQL Injection when single quotes are being escaped. But i'd be interested to know if there can be done something.
    0
     
    LVL 26

    Expert Comment

    by:Rejojohny
    what i meant was what would happen if ur field is a integer instead of a character .. in that scenario, the person hacking would not even enter a single quote .. so ur replace statement would just fail to stop SQL injection

    anyway i am not here to argue .. thought "gloriousamjad" should be aware of all the scenarios and so posted my comments .. pls be aware i am not trying to debate with you ...
    0
     
    LVL 11

    Expert Comment

    by:mouatts
    I'm with Sybe on this the only way that sql injection can work is by entering a single quote so that you can change the SQL string manipulation.

    So far as the actual problem is concerned I can only see three possibilities.

    1. There is a page where the session variable isn't being checked. This includes pages that might not actually display something but prehaps just handle a request and do a redirection. For example if you have a 'send email page' and use another as the action of the form that then just redirects back to the original, or to a thank you page.
    2. SQL Injection
    3. He only thinks that he has bypassed the login because he previously logged in and hasn't closed the browser down, although may have moved off the site. The session variable will still be active hence he can access any page.

    HTH
    Steve
    0
     

    Author Comment

    by:gloriousamjad
    Thank you very much all of you, especially sybe. The problem has been solved.
    0
     
    LVL 14

    Expert Comment

    by:huji
    Nice to hear that. And I still insist that you must ALWAYS think about social engineering. Never let any body trick you.
    Good luck
    Huji
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
    Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now