December 2nd, 2003, 12:40 AM
.asp login security check
i am trying to make sure our login process if perfectly secure, i am wondering how i would go about checking it? i dont want to pay for a service, i would like to learn how to do it on my own.
December 2nd, 2003, 12:41 AM
Can you be a little more specific?
December 2nd, 2003, 12:47 AM
i can try, well it is the start of an online game.. and our login process was done for us by another group, and they are asking for more money just to make sure it is secure.
so i think we need to attempt to brute force the login site, which is .asp
December 2nd, 2003, 12:51 AM
I don't think there is such a thing as perfectly secure. Some things to keep in mind, you should have something to prevent someone from brute forcing the account. So for instance after a generous number of attempts, maybe you can lock the account and send an email to the owner of the account with a link to unlock where the password must be provided along with another link to a page if they forget their password. You also should be sending the password to whatever authenticates it encrypted using something such as ssl. I'm sure that most logon things these days are either custom made by someone's webmaster or made by a company. I wouldn't recommend just making your own, chances are it won't be near as secure as a professional one. Those are just a few of many things to keep in mind.
December 2nd, 2003, 12:23 PM
There are a lot of factors that will determine if you login is secture things like
1) Whats your password policy?
2) Do you have a time delayed lockout features, when the password is entered wrongly 3 times?
3) what error message is returened when there is an incorrect login, Does it give to much information away
4) Are you filtereing for nastly charectors on all data sent from the client before the server processes that data?
5) Does the server check to see if a user is loged in when requesting pages that you should only be able to if you have loged in?
Hopefully that should start you on the path. Try www.owasp.org for some more infor they have a good paper on how to secure a web app.
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
December 2nd, 2003, 02:09 PM
I think the things to check are:
1. Are they using cookies in a blatantly stupid way (i.e. using them to store info that the user must not be able to modify)
2. Does the app ensure that it is not vulnerable to any kind of SQL injection or other "funny characters" exploit?
3. Is the forgotten password mechanism secure?
4. As SD says, does it give away too much information?
5. (As SD says) - is the session checking mechanism within the application robust? It needs to exist on every page (obviously) and do all relevant checks every time.
These are the common errors I've seen.
The most stupid thing to do is set set a cookie "logged_in=1" or something which the app sees and assumes the user has logged on correctly, whereas a savvy user could set the cookie manually.
December 2nd, 2003, 06:26 PM
You should check out the owasp project at - http://www.owasp.org/index
Another good place to check would be the http://www.sans.org reading room or the http://www.securityfocus.com/ website. All three of these have papers on web application security, authentication, etc. secfocus has a good paper on testing your web application authentication scheme.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
July 1st, 2005, 03:33 PM
guys whats up? my problem is a bit complex(well thats what i think)
consider a .asp file on the net.here i have to enter a number (say rollnumber) and then it give me the results related to that number.
e.g- i give some exam QWERTY and my roll number is 12345. so when results for the exam are announced i go to the site and open the corresponding .asp(say result.asp). i enter my nnumber 12345 and press enter. now it will show my name and my score in QWERYTY exam.
here's my question: is there any way i can search for a name (say Sam) and get all other information related to Sam (his score and roll number etc)???
Please help me guys