Selamat Datang : Teman Home | Forum | Project | Tips dan Trik | Tutorial | Artikel Lepas | Advisories

Login

Username
Password

Daftar
Lupa Password
Newhack
Tentang
Sejarah
Gallery
Download
Web Links
Buku Tamu
Kirim Artikel
Visi dan Misi
Disclaimer
IT Discussion
Ilmuwebsite
IPS Log
·200.62.54.120
/index.php?x...
·202.181.105.117
27/index.php...
·202.181.105.117
/index.php?p...
·202.181.105.117
/index.php?p...
·202.181.105.117
27/index.php...
·202.181.105.117
/index.php?p...
·202.181.105.117
asc/index.ph...
·202.181.105.117
/index.php?p...
Statistik Situs
Visitors :268558 Org
Hits : 535117 hits
Month : 3844 Users
Today : 187 Users
Online : 5 Users

Accounts Security Part III

Jumat, 09 Mei 08 - oleh : r3ck0rd

Accounts Security Part III

For Web Developers and Programmers Guide and Technological and Technical Security

A Password Security Related Article by Calvin Limuel a.k.a. r3ck0rd

2nd Revision, 20080422 - by r3ck0rd


Finally, third episode of this serial! Despite in the middle of home works, school projects, web design preparation for a competition, writing my own book “Behind the Scenes of XSS, RFI, and SQL Injection”, other Gastrote and hacking projects, Vocal Group Competition preparation, and any other things I have to do. But I still want to write more.



Yes in this third part, I changed the serial name and this is the final name: Accounts Security. And I’m extending this serial for web developers and programmers (marked with the 4 WDev&P™ or “For Web Developers and Programmers™” logo).


1. For Web Developers and Programmers™ Configuration File

Configuration file is where you put your sensitive data for a web application. Such as database login details. Don’t just save it in *.inc. Because .inc extension is just an extension and a standard, few people still doing this. .ini files too. So it can be downloaded directly, easily. I recommend give a protection like, adding an extra .php extension (like config.inc.php), forbid direct access through .htaccess and PHP, and encode the file.


2. For Web Developers and Programmers™ Filter, filter, filter!


The word “filter”, now, is not always to avoid HTML Injection and XSS only. You may have know how to filter SQL Injection, and so do RFIs. If not, I’ll write about it some other time. In Zoiz’ advisory page here: http://zoiz.web.id/xss-corner/useragent-xss.html or http://th0r.info/?p=77, he showed us that User Agent data from the browser, in this practice, Mozilla Firefox, can be modified. From Internet Explorer, you can do it from the registry editor. I’ll write about it in the next episode of Microsoft Windows Tweaks. I haven’t find out how to do it in Opera, Netscape, Safari, or any other browsers.


Back to that advisory. He found out that User Agent String Data can contain HTML codes. By the “mighty power” of XSS, we can even do what Th0R does in his first book: “Friendster Hacking“. Yes, we’re talking about Cookie Stealing. How can we do it? Next time, OK? ^^ Some programmers make programs for logging users. Some still display the raw string of the user agent data. You know what I mean next.

Read more about code injection.



3. For Web Developers and Programmers™ Password File and Database security

About putting passwords to files, it is risky enough. More risky than point 1. Because you know, it can be accessed by public individuals. The safest way I think is to put it into the database. However, these can be accessed if you have SQL Injection vulnerability in your web application. The solution is none other than encrypt it with one-way encryption method. Yes I know your web applications encrypts your passwords by default. And the usual method: Message Digest 5 (MD5). And you know by reading Th0R’s book, Zero-Knowledge Password, and part two of this serial, it can be cracked. With bruteforce (this is avoidable, not like what you think, the easiest way is through CAPTCHA, available in php class), rainbow table. So how to protect them? Try another encryption like SHA1. Or, use multiple encryption. MD5, SHA1, and ROT13. Or you can add PHPass (Portable PHP Password) hashing framework from www.openwall.com/phpass, a security foundation, that made John the Ripper password cracker, in your list.


4. Remember Password Feature


I forgot to write this in my earlier articles. Yes, don’t do this, especially if you’re accessing websites, including your messenger programs, even if it’s encrypted. It’s not about knowing your password, but someone can set the settings for not enabling password to be required to get in into his e-mail.


5. VBScript in web pages

Know VBScript? Yes, VBScript can be embedded in a HTML page. Client-side. But you have to know people can make worms/viruses with this. It’s not impossible for a coder to code a spyware, trojan horse, even a keylogger, then embed them in a HTML page. Best way I know to anticipate is: disable <script> tags from your browser. But, it’ll be more comfortable if you just install Mozilla Firefox (latest one is 2.0.0.13 and 3.0 b5) and install NoScript plugin by Giorgio Maone.



6. For Web Developers and Programmers™ CSRF Attack: for users and WDev&P

Lists of links that may help you preventing CSRF:

- http://www.gnucitizen.org/blog/preventing-csrf/

- http://websecurity.ro/blog/2008/03/28/wordpress-233-probably-a-0day-exploit/

- http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html

- http://www.cgisecurity.com/articles/csrf-faq.shtml


More? Google them :)


7. Your browser’s address bar

Remember XSS? Right. I think I’ve told you about this, but if not, here are my tips. First of all, watch the address bar. This will be useful to avoid XSS contain phishing and any other malicious things. Previously, in Friendster, you can put a phising page through redirection, showing you a fake login page. And in World of Warcraft’s website, Th0R has showed us the p0f of it, in the preious SATE (Security Advisory Team) forum. But it’s alright when you watch the address closely. But if you don’t understand, I recommend NoScript plugin, has known to prevent XSS to be executed.


8. Seek secure web pages


This is very important if you’re messing up with e-banking or e-commerce sites. First, the protocol should be in https:// or port 443 (secure HTTP, HyperText Transfer Protocol). Second, verify the certificate, the encryption method, the digital signature and the certificate maker, like VeriSign or e-trust. Although there maybe a counterfeit, just cross check with the certificate maker’s site.


9. For Web Developers and Programmers™ PHP5, 6 and MySQL

As an subtopic of point 2, prevent SQL Injection by using magic_quotes. But since the news says it’ll be removed, you have to manually filter it yourself. Or if you’re using MySQL, you can use this function: mysql_real_escape_string().



10. Credit Card

It’s not impossible if someone like a cashier can do a fast remembering or has a photographic memory to remember your bank account number and your CVV2. Just for advice, either when you want to use your credit card to debit, swipe your card to their “skimmer” (I don’t know what’s its name) yourself, or don’t let the cashier see your credit card longer. If they want to cross check the signature, you show him/her. Or if you want to apply a new credit card, and the dealer require you to photocopy your current credit card, ask the them to cover the CVV2.


Hah OK, it’s finished. 2 weeks of work. Haha :). Actually I suddenly came up with one more point. But let it be in the fourth part :)


This article was made by Calvin Limuel a.k.a. r3ck0rd with a help from Zoiz for few points. Thanks a lot Zoiz! It’ll be 3 weeks if you don’t point me some points. :D



Greet fliest to:

- Zoiz, Th0R, badkiddies, JKR, and all HackingForte members.

- Some of my chat friends: PusHm0v, th3sn0wbr4in, yamiza.

- My friends at my school: Arcsanctus, CH.


And thanks to Jesus for making me alive until today, so I can write this article ^^.


April 11, 2008


Calvin Limuel

© 2008 r3ck0rd

See here for more information if you want to copy this article.



Original URL: http://reckord.info/?p=36 or http://reckord.info/password-security/r3ck0rd/2008.04.11/36.accounts-security-part-iii.post


kirim ke teman | versi cetak

Berita Tutorial Lainnya

By Pass Proxy with Your Freedom
Sunlink at FreeBSD
4 Commands to takeover windows machine
SQUID | High-performance Proxy caching server
[video] Man In The Middle Attack Anonymous Proxy
Tidak ada komentar tentang artikel ini
Your Name :
Your Email :
Comment's Title :
Comment :
Security Code : Security Code
Type Code :
Pencarian

cari di
Artikel Terakhir
·Terima Kasih groovy.United Jugoslavija Crew
·Metasploit 3.2 Release
·Konsep sederhana Joomla Password Cracker
·sEcuRity Distro
·MS Windows Server Service Code Execution Exploit
·[INFO] Backtrack3 Final Release
·[video] Man In The Middle Attack Anonymous Proxy
Links

www.echo.or.id

www.kecoak-elektronik.net

www.milw0rm.com

www.sekuritionline.net

Yogyafree.net


Home | Forum | Project | Tips dan Trik | Tutorial | Artikel Lepas | Advisories | Recommend | Contact


Powered by AuraCMS