Challenge Response Tutorial

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Challenge Response Tutorial

Post by AGISB »

I rethought my concerns against the javascript as it really does no harm to use it. So I worked it into my login system and I think I might have cought a little hole in it.

At the end when the user is authenticated or denied the challenge_resonse is not deleted from the database. This might give an attacker a 5 minute window to use the response again if he listens to the traffic and thats what we are resuming to use it in the first place.

I think that was just forgotten in the turorial but it might be a good idea to add it.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Stupid question:

Just how does some one 'listen' in anyway?

:roll:

How often does it happen?

:roll:

How hard is it to do?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

The easiest way to listen in would be a packet sniffer, using ARP poisoning an attacker can route all traffic behind his node on a network through him called a middle man attack and log all traffic. Obviously the risk is greater on a wireless network because no ARP poisoning is needed. Just FYI someone could "feasibly" listen in on a level all the way up the ISP, but it'd be damn near impossible unless they had access to the physical switches at the ISP
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

neophyte wrote:Just how does some one 'listen' in anyway?
Find a *nix box with a connection between the server, and the target. Get a shell on that box. Then:

# tcpdump -i eth0

(Or whichever interface you need to listen to).

Thats it. Unfiltered, raw text will spew upon the screen, including packets containing passwords, usernames, and more.

Of course, that is the "Matrix" view, which isn't at all simple to parse. There are about a hundred different apps that can do that for you, turning it from packet stew to a sexy gui allowing you to watch the progress of a session.
neophyte wrote:How often does it happen?
Extremely often.
neophyte wrote:How hard is it to do?
Depends on the knowledge of the attacker. Considering that you can buy 1,000 machine botnets for $20 online these days, each of which can be a listening post.. not hard.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Thanks jshpro, I did some reading about ARP and I have a little better understanding of how this sort of thing happens. Everyday is an education.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Roja thanks for the post. Now I understand even better than before exactly what to do to protect my self and how easy it is for someone to obtain access to clear text transmissions.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I checked the tutorial and surprise surprise you're quite right. Each check should allow only a single usage of the challenge. Essentially it must delete the challenge the moment it is used as a precaution against any potential misuse.

And they say peer review is worthless...oh the fools ;)

I have amended the tutorial php code to delete the challenge after it is fetched from the database. Thanks for letting me know!
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

And they say peer review is worthless...oh the fools
Indeed. I think this is the strength of these forums. It's great to see so much collaborative effort and what it results to. Thanks all of you. I'll check out the ammended code now.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Made a few updated comments and organised the workflow better in the tutorial. The changes ensure the challenge is deleted from the database after it is pulled into the PHP script as is supposed to happen.
Post Reply