Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Reviewing security parameters

Re: Reviewing security parameters

From: Ilya Sher <ilya79_at_actcom.net.il>
Date: Fri, 16 Apr 2004 21:09:04 +0300

Simon Lemieux wrote:
> Hi there,
> I just composed a login page for my administration of my website.
>
> I just wanted to make sure I had taken everything in consideration when
> programming that php script. My main focus is, of course, security.
>
> At first a login variable is initialized with "guest" in it. If the
> whole script fails or if the user was not granted access, it will return
> "guest". It is then the duty of the index.php (that called my login
> script) to check what login was returned and take action if it was
> "guest", like refusing all access. But as you see the script is also
> designed to let a guest come in and still use some things.
>
> Guest access is denied on my administration page of course.
>
> The script checks if it was run using SSL. If not it will automatically
> return the "guest" user and will print a link to the same page with
> https://... So it always authenticate users with SSL.
>
> Also, the inputs the user will send to login are the forms _REQUESTs
> that contains login and password and then the input become a COOKIE
> which contains a random ID. All these inputs are checked to see if they
> are trustable; they must contain only letters and numbers, I've also
> allowed some punctuation but no " or '...
>
> The Cookie ID is a string of 32 characters given randomly and stored in
> a login database with the user's IP address and user ID.
>
> So I check to see if both ID and IP matches the user's.
>
> At any point if the Cookie contains wrong information or if it contains
> untrustable characters, the user is disconnected (ie. all login records
> are closed and user will have to re-auth).
>
> Logins, disconnection, bad login/passwords, untrustable characters are
> reported in a Log database.
DOS - log overflow maybe.
>
> Do you guys think this script is safe?
It is simplier to me (I guess for others too)
to see the code (not that I'm security expert
but hey - that's another eyes of php programmer
on your code).
Can't tell you till than.
>
> Thanks,
> Simon
>
Received on Apr 16 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]