Can you break my web site? Go ahead

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
FWIW the VB.NET login code at present looks like this:

Code:
Imports System.Web.DynamicData

Partial Class _Default
    Inherits System.Web.UI.Page
    Dim strUserName As String
    Dim strPassword As String
        
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)
        Session("Editing_Rights") = "Z"
        If IsPostBack Then
            strUserName = strAlphaOnly(Left$(txtUserName.Text, 20))
            strPassword = strAlphaOnly(Left$(txtPassword.Text, 20))
            If Len(strUserName) > 4 Then
                Session("UserName") = strUserName
                txtPassword.Text = strPassword
                '// Now try to log in
                Select Case strUserName
                    Case "DonnEdwards"
                        If strPassword = "*******" Then
                            Session("Editing_Rights") = "ACDZ" ' Add Change Delete Zoom
                        Else
                            Session("Editing_Rights") = "Z" ' Zoom only
                            Session("UserName") = ""
                        End If
                    Case "admin"
                        If strPassword = "admin" Then
                            Session("Editing_Rights") = "ACDZ" ' Add Change Delete Zoom
                        Else
                            Session("Editing_Rights") = "Z" ' Zoom only
                            Session("UserName") = ""
                        End If
                    Case Else
                        Session("Editing_Rights") = "Z" ' Zoom only
                End Select
                pnlForm.Visible = False
                pnlLoggedIn.Visible = True
            Else
                Session("UserName") = ""
                txtPassword.Text = ""
            End If

        End If
        txtUserName.Text = Session("UserName")
    End Sub

    Function strAlphaOnly(ByVal pstrText As String) As String
        '// Extract just the a-z chars from a string
        '   Version 1.67.33 (c) 2003 Black and White Inc
        Dim strTemp As String
        Dim lngI As Long
        strTemp = ""
        For lngI = 1 To Len(pstrText)
            If InStr(1, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890_", Mid$(pstrText, lngI, 1)) > 0 Then
                strTemp = strTemp & Mid$(pstrText, lngI, 1)
            End If
        Next lngI
        strAlphaOnly = strTemp
    End Function

End Class

So the " ' and 1=1; " ruse won't work because it will be shortened to

"and11" because spaces and punctuation is stripped out of both the user name and the password.

Now if you could persuade the site to set
Session("Editing_Rights") = "ACDZ"
without logging in as "admin", then I would be truly impressed.

Alternatively if you could tell me what the password is that I replaced with **** I would be even more impressed.
 
Last edited:

Fafa

Expert Member
Joined
Nov 9, 2008
Messages
3,095
Hmm. Just by looking at the code you have posted the website will be vulnerable to timing attacks. I will quickly explain what it is as I think its a very new phenomenon.

Lets say we time the login failure events. If i try to login as DonnEdwards it has to deal with one extra if statement, where as a username which does not exist will actually have to jump through one less if statement. So this leads anybody with knowledge of timing attacks to be able to determine which usernames your website will grant access to.

On this website it should be fairly easy to fix it as you just need to introduce a randomly selected between 0-30ms delay before any of the if statements are processed. I am pretty sure the extra if statement will only add about 4 - 5ms to the access time at most so the delay should be sufficient :) Most websites are currently vulnerable to this type of attack, hence its a new thing :)
 

Raithlin

Executive Member
Joined
Jan 4, 2005
Messages
5,032
For interest sake you could place absolutely anything in the username and password fields and it will log you in with no editing rights.

i got in using the following:

Username: lookiamauser

Password: uhmidontknow

:p
Yeah, I figured that bit out. Would have been nice if we'd have known that to start with.

Well done on the alpha-only code. Good thinking - unless your user wants to use non-alpha characters in their password - or unicode?
 
Last edited:

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
Well done on the alpha-only code. Good thinking - unless your user wants to use non-alpha characters in their password - or unicode?

None of the data we will publish supports unicode, so I think we'll give that a miss. I'll probably expand the supported characters to include accented letters, and @-. to allow users to use their email addresses as logins or passwords.

The timing idea is interesting, and I may add it in just for fun. I intend to have a separate table for user names and passwords, which may screw up the timing attack anyway, but we'll see.

Once again, I must thank everyone who tested the site. Looking at the Google Analytics stats I am delighted that most of the response has been from this forum.

I haven't implemented all the changes yet: I will be working on it full time on Friday, and we'll decide whether to upload the entire FishWise database then or not. Probably not until the end of August.
 

hyperian

Expert Member
Joined
Apr 17, 2008
Messages
1,878
I think that the login system may be vulnerable to basic sql injection:

username: a' or 'c'='c
password: any character string

That logs me in, but with no editing rights: "You have logged in with no editing rights.
Use the "Data" menu to view and edit the data."
 

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
I think that the login system may be vulnerable to basic sql injection:

username: a' or 'c'='c
password: any character string

That logs me in, but with no editing rights: "You have logged in with no editing rights.
Use the "Data" menu to view and edit the data."

Read the posts above. ANY string above 5 characters in length will log you in with no editing rights... ;)
 

monkeeh

Well-Known Member
Joined
Oct 29, 2004
Messages
105
why on earth would you display such personal details to anyone? (employee page) - thats madness
 
Top