#1 2015-08-25 03:51:52

warleyalex
Member
From: Sete Lagoas-MG, Brasil
Registered: 2013-01-20
Posts: 250

troy hunt

It's been a long time that I haven't played with my little mORMot. But unfortunately I don't know how to implement a secure SignIn/Changepassword feature to be used in ajax clients.

I've created two interface-based services: SignIn and ChangePassword. Exactly, I would like to consume these methods from SmartMS clients. Authentication is enabled:

POST http://127.0.0.1:8080/services/MyService.SignIn
{
"errorCode":403,
"errorText":"Forbidden"
}

My silly methods is working apparently fine, I can both create users and then change its passwords.

For the sake of this example, let’s say that there is a button "SignIn" in SmartMS and a user named “warleyalex” would like to signIn. warleyalex is asked to enter his username and password.

TServiceMyService.Create(Client).SignIn(Trim(newUser.Text),Trim(newPass.Text),
procedure(res: variant)
begin
 resLabel.Caption := format('Result = %s',[res.success]);
end,
lambda
begin
  resLabel.Caption := 'Error calling the method!';
end);
end;

Nice, I couldn't see the credentials at URI, the method POST was used to send the info to the server.
The fundamental weakness here is that the sensitive data is still transmitted unencrypted over the Internet, meaning a hacker who is sniffing network traffic could steal warleyalex’s password.

POST http://127.0.0.1:8080/services/MyServic … c33957a5b9

POST http://127.0.0.1:8080/services/MyServic … c4ffb12934
["warleyalex",  "synopse"] --> Payload request

In experiments, I discovered something that can aggravate the situation. A hacker who is sniffing the network traffic could steal the session_signature to create new users or change passwords.

For instance: He could grab this info: session_signature=002d2363d98907816323a23f then he could create a new user or change password. f.i. Let's create a user called 'hacker'

POST http://127.0.0.1:8080/services/MyServic … 816323a23f
["hacker",  "synopse"]
{"result":[{"success":"User hacker added."}]}

Another concern with this technique is storage of warleyalex’s password. It is stored as a one-way hash value, which is a best practice to keep passwords safe. This password current is actually being stored in the backend database sqlite3 with encrypted a password hash. Something like this:

PasswordHashHexa='67aeea294e1cb515236fd7829c55ec820ef888e8e221814d24d83b3dc4d825dd'

The concern is that someone could pay an administrator to get this info and a anyone could easily inject this hash to get authenticated.


How to implement a secure SignIn/Changepassword feature to be used in ajax clients?

Offline

#2 2015-08-25 09:41:31

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,182
Website

Re: troy hunt

The session_signature=002d2363d98907816323a23f value has a limited life-time work.
What you may do is put the parameters at the URI level. Then they would be part of the signature computation, and the user would only be able to replay the same exact request.

About password storage, we may implement a nonce/salt stored with the password itself.
It would reduce brute force attack to recover the password from the application point of view.
But if your database is stolen, in all cases, low-level authentication may indeed be possible, knowing the hash.
... if your database is stolen/compromised, I guess that you may have bigger issues than this!

So in all cases, to secure all this from AJAX, should should use a HTTPS connection.
This is how all AJAX apps do, AFAIK.

Offline

#3 2015-08-26 13:17:53

warleyalex
Member
From: Sete Lagoas-MG, Brasil
Registered: 2013-01-20
Posts: 250

Re: troy hunt

Hi,
Unfortunately I couldn't use HTTPS / SSL using Windows XP. 

In my experiments, to signIn a new user with SmartMS, Now, I'm sending the credentials using base64 method.

POST http://127.0.0.1:8080/services/MyServic … 684cfdf5e9
["ZDJGeWJHVjVZV3hsZURJNmMzbHViM0J6WlE9PQ=="]

After one creates a new user, a session will be closed ( Client.SessionClose; ), at least would not be able to replay the request to add new users.

Digging a bit further, the issue is that when I add a new user to the database and I try to login the new client in SmartMS - I'm getting an 403 Forbidden status code when I try to login, when I use 'User', 'synopse'  everything works according to plan. Is there a technical reason for which a client does not connect to the server?

Offline

#4 2015-08-26 21:14:26

warleyalex
Member
From: Sete Lagoas-MG, Brasil
Registered: 2013-01-20
Posts: 250

Re: troy hunt

It Worked like a charm :=)

Last edited by warleyalex (2015-08-27 23:12:34)

Offline

Board footer

Powered by FluxBB