login (security through obscurity) – weird PHP script

This was the idea with which I have won the regional web apps contest… well actually I did a CMS but the security part of it was the most appreciated. Maybe because it was weird, you’ll see…
Classical Login scripts
What exactly do classical login scripts do… they get the password from the database by querying it with the username (SQL Injection possibility) and after that they compare the retrieved password with the one submitted by the user. If they match either the website sets a cookie, or a variable in the current session…
Weird/Reverse Login script
The main thing that I wanted to achieve was to get rid of any SQL Injection vulnerability. How did I do this? I didn’t use the classical query username in database and get the respective password; instead I searched all the usernames that had the password sent by the current user and then scanned through the list for the username, if not found no such username exists…

$passwd = $_REQUEST["passwd"];
$uname = $_REQUEST["username"];
$ok = 0;
$handle = mysql_connect("", "", "");
$build = "SELECT uname FROM usr WHERE passwd='" .md5($passwd). "';
$query = mysql_query($build, $handle);
while($fetch=mysql_fetch_array($query)) {
  if($fetch[0]!=$uname) {
    if($ok==1) {
      //do nothing
    }
    else {
      $ok=0;
    }
  }
  else {
    $ok=1;
  }
}
if($ok==0) {
  header("Location: somewhere");
}
else {
  //set a weird cookie
}
As far as I see through this method there is no SQL Injection possibility, no need of mysql_real_escape_string() or to worry about hex encoded strings, etc.
Weird/Obscure Cookie
The login process isn’t complete, not until we do not set a normal cookie with “strange” information in it, or should we say obscure information for everybody except the webmaster =).
$build = $REMOTE_ADDR. "secretK3y";
setCookie("cookIT", md5($build), 0);
As for the secret key…. it has to be secret because if it is not, a person on the same network as yours could forge a cookie to gain access.
Cookie verifier
This is used to check the authenticity of the cookie, I bet you already have an idea on how it looks:
if(!isset($_COOKIE["cookIT"])) {
  header("Location: somewhere");
}
else {
  $value = $_COOKIE["cookIT"];
  $build = $REMOTE_ADDR. "secretK3y";
  if($value!=md5($build)) {
    //or a fake cookie or changed proxy
  }
  else {
    ...do stuff for users...
  }
}
Epilogue
It’s not a great thing, could have used sessions or the classical login method with many filters (addslashes(), mysql_real_escape_string())… but I didn’t, it was perfect for me because I am a fan of the principle: “security through obscurity” and also got more points because they wanted creativity… in everything design/development. And because I’m not a designer I had to use my creativity on development. Some of you maybe will like it, others will see it as plain stupidity, and the rest of you won’t even care… but still, it helped me won the contest…
This was the idea with which I have won the regional web apps contest… well actually I did a CMS but the security part of it was the most appreciated. Maybe because it was weird, you’ll see…
Classical Login scripts
What exactly do classical login scripts do… they get the password from the database by querying it with the username (SQL Injection possibility) and after that they compare the retrieved password with the one submitted by the user. If they match either the website sets a cookie, or a variable in the current session…
Weird/Reverse Login script
The main thing that I wanted to achieve was to get rid of any SQL Injection vulnerability. How did I do this? I didn’t use the classical query username in database and get the respective password; instead I searched all the usernames that had the password sent by the current user and then scanned through the list for the username, if not found no such username exists…

$passwd = $_REQUEST["passwd"];
$uname = $_REQUEST["username"];
$ok = 0;
$handle = mysql_connect("", "", "");
$build = "SELECT uname FROM usr WHERE passwd='" .md5($passwd). "';
$query = mysql_query($build, $handle);
while($fetch=mysql_fetch_array($query)) {
  if($fetch[0]!=$uname) {
    if($ok==1) {
      //do nothing
    }
    else {
      $ok=0;
    }
  }
  else {
    $ok=1;
  }
}
if($ok==0) {
  header("Location: somewhere");
}
else {
  //set a weird cookie
}
As far as I see through this method there is no SQL Injection possibility, no need of mysql_real_escape_string() or to worry about hex encoded strings, etc.
Weird/Obscure Cookie
The login process isn’t complete, not until we do not set a normal cookie with “strange” information in it, or should we say obscure information for everybody except the webmaster =).
$build = $REMOTE_ADDR. "secretK3y";
setCookie("cookIT", md5($build), 0);
As for the secret key…. it has to be secret because if it is not, a person on the same network as yours could forge a cookie to gain access.
Cookie verifier
This is used to check the authenticity of the cookie, I bet you already have an idea on how it looks:
if(!isset($_COOKIE["cookIT"])) {
  header("Location: somewhere");
}
else {
  $value = $_COOKIE["cookIT"];
  $build = $REMOTE_ADDR. "secretK3y";
  if($value!=md5($build)) {
    //or a fake cookie or changed proxy
  }
  else {
    ...do stuff for users...
  }
}
Epilogue
It’s not a great thing, could have used sessions or the classical login method with many filters (addslashes(), mysql_real_escape_string())… but I didn’t, it was perfect for me because I am a fan of the principle: “security through obscurity” and also got more points because they wanted creativity… in everything design/development. And because I’m not a designer I had to use my creativity on development. Some of you maybe will like it, others will see it as plain stupidity, and the rest of you won’t even care… but still, it helped me won the contest…

*

Post a Comment (0)
Previous Post Next Post