[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Bypass a web application's login page! Urgent

Posted on 2004-10-24
20
Medium Priority
?
2,059 Views
Last Modified: 2012-08-14
Hi,

I have a web app that uses session authentication. Someone has sent me an email with some data from inside this web app, and he claims that he bypass the login page very easily.
How can he do so ? and how do I prevent him and anyone else doing this again?

I'd be very grateful if someone could help.

0
Comment
Question by:gloriousamjad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +3
20 Comments
 
LVL 26

Expert Comment

by:Rejojohny
ID: 12392437
>>uses session authentication
what do u meant by session authentication? what does ur login page do and how are the other pages validating if the user has logged on or not? do u mean that u store values in the session and check for them in the other pages? could u post the relevant codes ..
0
 
LVL 28

Expert Comment

by:sybe
ID: 12393661
There is a (recently published) vulnerability in dot.net that seems to do just that. Are you using dot.net?
0
 
LVL 28

Expert Comment

by:sybe
ID: 12393673
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Expert Comment

by:nan1217
ID: 12394943
If your login page is just a form that passes values to a second page and then authenticates them and sets some session variables, then it would be very easy to bypass.  The other guy would just need to setup his own form which submits to that same second page and then he would be authenticated.
0
 

Author Comment

by:gloriousamjad
ID: 12395342
My login page is a form that passes the username & password to a validating page in which it validates the username & password in the database, then store them in session variables, and check for these variables in all pages.
By theway, the code is in ASP not asp.net
I want to know how to prevent bypassing the login page, and how does the other guy do it?

0
 
LVL 3

Expert Comment

by:nan1217
ID: 12395685
"I want to know how to prevent bypassing the login page, and how does the other guy do it?"

On the second page which sets the session variables, have a checker at the top that says something like

If Request.ServerVariables("HTTP_Referer")<>"myloginpage.asp" then
     response.redirect myloginpage.asp
else
     'continue with form processing
end if

0
 
LVL 14

Assisted Solution

by:huji
huji earned 120 total points
ID: 12398131
nan1217, what you are mentioning is not what I understood from the author's question. I think he says that the guy has PASSED the authentication BY, and not to be doing authentication from outside the author's web site.
Well, gloriousmjad. Let's start with this: Many hacks are just "social enginereeing"... I mean, you may be tricked! The guy may just have tricked you, to frighten you, or any thing. If this is the case, he/she may try to chat a lot with you, about your security problem, and through this long chat, you may give him/her more information, and help him really hack you somehow.
This is only an idea.
A second idea is that the user may have tried some common hacking ideas. For example, I have heard that there is a special term ("' OR 1=1" or something like this, I can not remember it clearly), that can be used to hack sites that simple perform searching in DB with a very simple SELECT statement in SQL string. When that phrase is placed in password, the whole SQL statement will look like:
SELECT * FROM table WHERE user='jjjkljljlj' AND passowrd='' OR 1=1" and as 1=1 is always through, the user is authenticated!
So there are several possibilities. I can not tell you "how to prevent him and others from hacking you again" becuase I don't know what the problem is, in your case. I need more information, at least the authentication codes you are using, to try to find any solution.
Wish I can help
Huji
0
 

Author Comment

by:gloriousamjad
ID: 12398477
Yes Huji, i've seen this "OR 1=1" 1st time I was hacked as the username and password for the user who modified one record in the DB, but the 2nd time he just sent me an email showing data from inside pages where he's not authenticated saying "your authentication mechanism can be avoided and anyone can log in as admin and play with your data"

Here are my codes

1) Login Page

Username:
Password:

2)Validation Page

suser=request("suser")
spassword=request("spassword")

' This part is for database connection and checking for user & password

SELECT * FROM  Users where username ='"& suser &"' and password ='"& spassword &"'

if rsCC.EOF then
       session("Authenticated")=0
       response.redirect ("login.asp")
Else
      session("suser") = request("suser")
      session("spassword") = request("spassword")
      session("Authenticated")=1
      response.redirect ("admin.asp")
end if

3) Inside pages

Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1
Response.Buffer = True

If Session("Authenticated") = 0 Then
 Response.Redirect ("../../scholarships/login.asp")
End If

if session("suser")="" then
    Response.Redirect "Login.asp"
    Response.End
end if
0
 

Author Comment

by:gloriousamjad
ID: 12398500
actually it's  ' OR ''='
0
 
LVL 28

Accepted Solution

by:
sybe earned 1600 total points
ID: 12398528
If it's that simple, you have ignored the basic rules of building dynamic SQL. Now this guy that hacked you is probably quite friendly, he could have done more harm. The mechanism is called "SQL Injection. It is very easy to prevent this:


SELECT * FROM  Users where username ='"& Replace(suser,"'","''") &"' and password ='"& Replace(spassword,"'","''") &"'

and you are done
0
 
LVL 26

Expert Comment

by:Rejojohny
ID: 12398552
SELECT * FROM  Users where username ='"& suser &"' and password ='"& spassword &"'

ur code is open to "SQL injection" or what we call as "cross scripting" .. what happens if i add in ur login page .. for the login textbox a value "junk' or 1=1 and '' " and for the password " some junk " . so ur sql code will look like

SELECT * FROM  Users where username = 'junk' or 1=1'' and password ='some junk'

so ur next line to check EOF will always be correct and ur will be authenticated ...
0
 
LVL 26

Expert Comment

by:Rejojohny
ID: 12398555
use stored procedures instead ...
0
 
LVL 26

Assisted Solution

by:Rejojohny
Rejojohny earned 280 total points
ID: 12398584
have a look at this link .. basics about how to prevent SQL injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
0
 
LVL 28

Expert Comment

by:sybe
ID: 12398630
@Rejojohny
Is there anything wrong the solution i proposed (because you keep posting solutions). I think that my solution will block all SQL injection.
0
 
LVL 26

Expert Comment

by:Rejojohny
ID: 12398653
@sybe
When i posted my comment "12:43PM AST", i had not seen ur comments till then .. as for the other comments .. using SP is much easier than the replace command as there are other ways of SQL injection (other than just using single quotes) .. as for the third comment .. i posted it for "gloriousamjad" .. for his reference to understand the what exactly SQL injection means and how it can preveneted .. if "gloriousamjad" feels my comments are irrelevant, be assured that he will say so ..
0
 
LVL 28

Expert Comment

by:sybe
ID: 12398681
>> using SP is much easier than the replace command as there are other ways of SQL injection (other than just using single quotes)

* You can argue about it if using an SP is easier, and your database has to support SP's.
* You suggest that the escaping of single quotes is not enough to prevent SQL injection. I'd like to see how, becuse as far as I know it is safe. I don't see any way to use SQL Injection when single quotes are being escaped. But i'd be interested to know if there can be done something.
0
 
LVL 26

Expert Comment

by:Rejojohny
ID: 12398727
what i meant was what would happen if ur field is a integer instead of a character .. in that scenario, the person hacking would not even enter a single quote .. so ur replace statement would just fail to stop SQL injection

anyway i am not here to argue .. thought "gloriousamjad" should be aware of all the scenarios and so posted my comments .. pls be aware i am not trying to debate with you ...
0
 
LVL 11

Expert Comment

by:mouatts
ID: 12398810
I'm with Sybe on this the only way that sql injection can work is by entering a single quote so that you can change the SQL string manipulation.

So far as the actual problem is concerned I can only see three possibilities.

1. There is a page where the session variable isn't being checked. This includes pages that might not actually display something but prehaps just handle a request and do a redirection. For example if you have a 'send email page' and use another as the action of the form that then just redirects back to the original, or to a thank you page.
2. SQL Injection
3. He only thinks that he has bypassed the login because he previously logged in and hasn't closed the browser down, although may have moved off the site. The session variable will still be active hence he can access any page.

HTH
Steve
0
 

Author Comment

by:gloriousamjad
ID: 12398956
Thank you very much all of you, especially sybe. The problem has been solved.
0
 
LVL 14

Expert Comment

by:huji
ID: 12401857
Nice to hear that. And I still insist that you must ALWAYS think about social engineering. Never let any body trick you.
Good luck
Huji
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question