Security tip in network listening hack technique [New Idea]

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
sweb
Forum Newbie
Posts: 18
Joined: Tue Oct 30, 2007 6:32 am
Location: Iran (Semnan)

Security tip in network listening hack technique [New Idea]

Post by sweb »

see my article about secure password submition without SSL.
http://www.mhf.ir/2008/12/01/security-t ... technique/

demo:
http://demo.mhf.ir/secure-login-with-hash/

be wainting for your comment in my blog. :D

have good time.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Security tip in network listening hack technique [New Idea]

Post by JAB Creations »

I'm not entirely sure but if you're using the same hash at the client in JavaScript as you are at the back-end in PHP then I think you might be giving away the hashed password...or something along those lines.'

I have had interest in this issue but the problem always remains: the hacker can simply visit the site and look at the JavaScript code if they want. This would only prevent people who want quick access.

So we end up going back (I think) to the idea that only SSL can be a secure form of sending passwords. However I'm hardly a security guru but I'd love to implement a more secure way of submitting a password. You may want to submit this to the security forum here though I think the clientside forum was a good choice to post this in to as well.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Security tip in network listening hack technique [New Idea]

Post by josh »

If you salt + hash the password and store used salts to detect repeated salt attempts as hacks ( playbacks ), you can rule out reverse engineering and playback exploits, but each salted hash lets an attacker rule out a large # of possible brute force options
Post Reply