Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2066
  • Last Modified:

Bypass a web application's login page! Urgent

Hi,

I have a web app that uses session authentication. Someone has sent me an email with some data from inside this web app, and he claims that he bypass the login page very easily.
How can he do so ? and how do I prevent him and anyone else doing this again?

I'd be very grateful if someone could help.

0
gloriousamjad
Asked:
gloriousamjad
  • 6
  • 5
  • 4
  • +3
3 Solutions
 
RejojohnyCommented:
>>uses session authentication
what do u meant by session authentication? what does ur login page do and how are the other pages validating if the user has logged on or not? do u mean that u store values in the session and check for them in the other pages? could u post the relevant codes ..
0
 
sybeCommented:
There is a (recently published) vulnerability in dot.net that seems to do just that. Are you using dot.net?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
nan1217Commented:
If your login page is just a form that passes values to a second page and then authenticates them and sets some session variables, then it would be very easy to bypass.  The other guy would just need to setup his own form which submits to that same second page and then he would be authenticated.
0
 
gloriousamjadAuthor Commented:
My login page is a form that passes the username & password to a validating page in which it validates the username & password in the database, then store them in session variables, and check for these variables in all pages.
By theway, the code is in ASP not asp.net
I want to know how to prevent bypassing the login page, and how does the other guy do it?

0
 
nan1217Commented:
"I want to know how to prevent bypassing the login page, and how does the other guy do it?"

On the second page which sets the session variables, have a checker at the top that says something like

If Request.ServerVariables("HTTP_Referer")<>"myloginpage.asp" then
     response.redirect myloginpage.asp
else
     'continue with form processing
end if

0
 
hujiCommented:
nan1217, what you are mentioning is not what I understood from the author's question. I think he says that the guy has PASSED the authentication BY, and not to be doing authentication from outside the author's web site.
Well, gloriousmjad. Let's start with this: Many hacks are just "social enginereeing"... I mean, you may be tricked! The guy may just have tricked you, to frighten you, or any thing. If this is the case, he/she may try to chat a lot with you, about your security problem, and through this long chat, you may give him/her more information, and help him really hack you somehow.
This is only an idea.
A second idea is that the user may have tried some common hacking ideas. For example, I have heard that there is a special term ("' OR 1=1" or something like this, I can not remember it clearly), that can be used to hack sites that simple perform searching in DB with a very simple SELECT statement in SQL string. When that phrase is placed in password, the whole SQL statement will look like:
SELECT * FROM table WHERE user='jjjkljljlj' AND passowrd='' OR 1=1" and as 1=1 is always through, the user is authenticated!
So there are several possibilities. I can not tell you "how to prevent him and others from hacking you again" becuase I don't know what the problem is, in your case. I need more information, at least the authentication codes you are using, to try to find any solution.
Wish I can help
Huji
0
 
gloriousamjadAuthor Commented:
Yes Huji, i've seen this "OR 1=1" 1st time I was hacked as the username and password for the user who modified one record in the DB, but the 2nd time he just sent me an email showing data from inside pages where he's not authenticated saying "your authentication mechanism can be avoided and anyone can log in as admin and play with your data"

Here are my codes

1) Login Page

Username:
Password:

2)Validation Page

suser=request("suser")
spassword=request("spassword")

' This part is for database connection and checking for user & password

SELECT * FROM  Users where username ='"& suser &"' and password ='"& spassword &"'

if rsCC.EOF then
       session("Authenticated")=0
       response.redirect ("login.asp")
Else
      session("suser") = request("suser")
      session("spassword") = request("spassword")
      session("Authenticated")=1
      response.redirect ("admin.asp")
end if

3) Inside pages

Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -1
Response.Buffer = True

If Session("Authenticated") = 0 Then
 Response.Redirect ("../../scholarships/login.asp")
End If

if session("suser")="" then
    Response.Redirect "Login.asp"
    Response.End
end if
0
 
gloriousamjadAuthor Commented:
actually it's  ' OR ''='
0
 
sybeCommented:
If it's that simple, you have ignored the basic rules of building dynamic SQL. Now this guy that hacked you is probably quite friendly, he could have done more harm. The mechanism is called "SQL Injection. It is very easy to prevent this:


SELECT * FROM  Users where username ='"& Replace(suser,"'","''") &"' and password ='"& Replace(spassword,"'","''") &"'

and you are done
0
 
RejojohnyCommented:
SELECT * FROM  Users where username ='"& suser &"' and password ='"& spassword &"'

ur code is open to "SQL injection" or what we call as "cross scripting" .. what happens if i add in ur login page .. for the login textbox a value "junk' or 1=1 and '' " and for the password " some junk " . so ur sql code will look like

SELECT * FROM  Users where username = 'junk' or 1=1'' and password ='some junk'

so ur next line to check EOF will always be correct and ur will be authenticated ...
0
 
RejojohnyCommented:
use stored procedures instead ...
0
 
RejojohnyCommented:
have a look at this link .. basics about how to prevent SQL injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
0
 
sybeCommented:
@Rejojohny
Is there anything wrong the solution i proposed (because you keep posting solutions). I think that my solution will block all SQL injection.
0
 
RejojohnyCommented:
@sybe
When i posted my comment "12:43PM AST", i had not seen ur comments till then .. as for the other comments .. using SP is much easier than the replace command as there are other ways of SQL injection (other than just using single quotes) .. as for the third comment .. i posted it for "gloriousamjad" .. for his reference to understand the what exactly SQL injection means and how it can preveneted .. if "gloriousamjad" feels my comments are irrelevant, be assured that he will say so ..
0
 
sybeCommented:
>> using SP is much easier than the replace command as there are other ways of SQL injection (other than just using single quotes)

* You can argue about it if using an SP is easier, and your database has to support SP's.
* You suggest that the escaping of single quotes is not enough to prevent SQL injection. I'd like to see how, becuse as far as I know it is safe. I don't see any way to use SQL Injection when single quotes are being escaped. But i'd be interested to know if there can be done something.
0
 
RejojohnyCommented:
what i meant was what would happen if ur field is a integer instead of a character .. in that scenario, the person hacking would not even enter a single quote .. so ur replace statement would just fail to stop SQL injection

anyway i am not here to argue .. thought "gloriousamjad" should be aware of all the scenarios and so posted my comments .. pls be aware i am not trying to debate with you ...
0
 
mouattsCommented:
I'm with Sybe on this the only way that sql injection can work is by entering a single quote so that you can change the SQL string manipulation.

So far as the actual problem is concerned I can only see three possibilities.

1. There is a page where the session variable isn't being checked. This includes pages that might not actually display something but prehaps just handle a request and do a redirection. For example if you have a 'send email page' and use another as the action of the form that then just redirects back to the original, or to a thank you page.
2. SQL Injection
3. He only thinks that he has bypassed the login because he previously logged in and hasn't closed the browser down, although may have moved off the site. The session variable will still be active hence he can access any page.

HTH
Steve
0
 
gloriousamjadAuthor Commented:
Thank you very much all of you, especially sybe. The problem has been solved.
0
 
hujiCommented:
Nice to hear that. And I still insist that you must ALWAYS think about social engineering. Never let any body trick you.
Good luck
Huji
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now