Help identify the weakest link in this security system...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Help identify the weakest link in this security system...

Post by nielsene »

Overview of current system:

Chrooted, virtual machine.
SSL protected login credentials
Salted, Hashed password storage/comparison
Strong password requirements (8 characters, 1 each of upper, lower, special, and number, compared against dictionairy/l337 speak dictionairy)
Time delays for brute force slowdown

Currently no password request reminder/reset mechanism exposed to users directly. (I need to address this, however).

Missing components:
Real logging/notification for attack attempt profiling/real time response
SessionId protection (just the standard php system)
No CSRF protection
Other suspsected weak areas?

Currently I'm only using SSL for the login page, not for the whole site -- therefore I'm not using the cookies_only, cookies_ssl_only options for the session. That could be an option, but the preformance trade off would need to be examined more.

I think that the coding up the token/nonce system for my forms to beat the CSRF is probably the next vector to attempt to offer some protection against.

The site is not an e-commerce site; its not a likely target, but I don't want to be stupid about leaving obvisious issues open.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

The weakest link is the user.

Okay, that probably wasn't what you were asking for (and this is a pretty useless reply), but still...

Edit

Since cookies are not being passed via SSL, I think that SessionId protection is your biggest problem now. Basically, I agree.
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

You may be using SSL to protect your login credentials, however have you thought about man-in-the-middle attacks, (hijacks)?.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

What type of man-in-the-middle hijack are you referring to?

Phishing -- where a third party website is pretendiing to be my site, same appearance, to capture credentials before submitting to my site to confirm they've stolen a working pair? Well that would wither not show up as SSL to the user or have an incorrect cert.

Or just the "normal" session hijacking, but that's not a m-i-t-m attack...
Post Reply