Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171

    Is this form (and the website) secure?


    Hi;

    I'd like to get some comments on this website's security. Can you see any obvious flaws?

    I am aware it's not done in PHP but let's be honest this specific forum is the most active and posters share priceless info.

    Please do not move if possisble.

    Thank you
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    51
    Rep Power
    2
    May I ask why are you asking this question?

    Seems to be using ASP.NET, can't help you there.
    All generalizations are false, including this one. Free hosting
  4. #3
  5. Known to taste like chicken
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    In front of my computer
    Posts
    399
    Rep Power
    311
    Originally Posted by English Breakfast Tea
    Hi;

    I'd like to get some comments on this website's security. Can you see any obvious flaws?

    I am aware it's not done in PHP but let's be honest this specific forum is the most active and posters share priceless info.

    Please do not move if possisble.

    Thank you
    So, yeah... that's Australia's biggest bank, and they spend quite considerable amounts of money on security. It is PCI-DSS certified, they would have their own racks in a DC in sydney (they probably run their own mini DC for it infact). Physical security in the DC would be nuts, there would be a whole range of security measures in place on the site to prevent brute force attacks, distributed hack attempts etc. Comm bank turns a profit of tens of billion dollars a quarter, and collectively they would have hundreds of billions of dollars in accounts and loans etc. I would hazard a guess that it is one of the most secure sites in the world.

    Why do you care about comm bank's security?
    "Take thy beak from out my heart, and take thy form from off my door" - Homer J Simpson / Edgar Allan Poe

    Looking for a project Idea?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Hi,

    they actually do have a weakness: Valid client numbers get locked, but invalid ones not. So it's possible to search for accounts.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171
    Originally Posted by Jacques1
    Hi,

    they actually do have a weakness: Valid client numbers get locked, but invalid ones not. So it's possible to search for accounts.
    Please explain if you got a minute.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    If you enter a nonexistent client number, you simply get a generic error message saying that the login credentials are wrong. But if you enter a valid client number and a wrong password, you get a warning that your account will be blocked after two failed login attempts.

    This allows any visitor to try out numbers and check if they're valid. In other words, the form indirectly exposes critical data..

    A secure login form mustn't leak any information about whether or not a part of the credentials is correct. The feedback must be either "Your login was successful" or "The login failed". Nothing else.

    If you want to lock accounts, you must either mention that in the failure message ("Your credentials are wrong, or your account has been locked"). Or you must lock any username, not just the valid ones. This way an attacker cannot tell if they've hit a valid account.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171
    Originally Posted by Jacques1
    This allows any visitor to try out numbers and check if they're valid. In other words, the form indirectly exposes critical data.
    Hi Jaques1, 3 questions please explain if you do't mind

    In reasonably real life:

    1 - How could you possible use a "guessed" client number without knowing "anything" about password encryption system they use? I mean come on what are the chances to guess a password that has probably been hashed and encrypted "the right way"?

    2 - On top of that, it wouldn't be easy to "guess" a client number, is it?

    3 - I realise quite often simple encrypting functions gets disqualified. I really like to see how a hacker can try to find out what these strings are. You mind a preview please?

    aef78092b56fcdab884930ee55c93a2c1d35f01810c8503d697c233377663551f0c0f0f1
    or
    YWVmNzgwOTJiNTZmY2RhYjg4NDkzMGVlNTVjOTNhMmMxZDM1ZjAxODEwYzg1MDNkNjk3YzIzMzM3NzY2MzU1MWYwYzBmMGYx
    Thank you
  14. #8
  15. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    I don't know the exact client number pattern, but someone will do and it will be easy to find out. I used to use HSBC, and their numbers were "IB" (internet banking) followed by 10 digits. If they had the same flaw as Jacques is pointing out then all I would have to do is loop from 0000000001 to 9999999999 and pattern match the response for "locked" (valid number) or not.

    I then have a list of valid client numbers...I'm not a hacker so I wouldn't know what to do with them...but I'm sure someone with unsavoury intentions would want them
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  16. #9
  17. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,007
    Rep Power
    2791
    The flaw that Jacques has pointed out is a minor one and should not affect security, unless other aspects of their security are just as flawed. It is an oversight however and whoever put the security in place should be reviewed.

    What can a cracker do with a customer number? Other than brute force attacks, which would, you would assume, be completely covered, not much. My own bank's online system allows the customer number to be stored in a cookie, so I can only imagine that the customer number alone is fairly useless.
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [ANSI C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    Sydney Australia
    Posts
    182
    Rep Power
    83
    Originally Posted by Winters
    What can a cracker do with a customer number? Other than brute force attacks, which would, you would assume, be completely covered, not much.
    I have specifically requested my bank NOT to grant internet access to my account. If it gets hacked, it is then THEIR fault, not mine.

    ANYTHING exposed on the internet is ultimately crackable, given enough time and willpower.

    Why should I be required to ensure that my PC is secure enough to access their system. The bank, not the customer, should supply secure access.

    Call me a luddite. At I won't lose my hard earned.

    It's a minor inconvenience with not internet banking, but you don't miss what you've never had.
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Claiming that an attacker can't use the customer numbers is very naive.

    First of all, what makes you think that the site is somehow immune against brute force attacks? You cannot prevent this kind of attack, only slow it down. Every locked account will eventually be unlocked again. And most websites only check the login attempts for each individual account, not the total number of failed logins. In this case, an attacker would simply try one password on many accounts instead of many passwords on one account.

    Sensitive data like customer numbers is also commonly used for social engineering, because it creates trust.

    Never underestimate the creativity of attackers. A customer number alone may seem harmless. But people can combine it with other data and use it as a basis for other attacks. Just because you wouldn't know what to do with a customer number doesn't mean that nobody knows.

    A login form must not leak any personal data. No customer number, no email address, nothing. The feedback is either "login OK" or "login failed".



    Originally Posted by English Breakfast Tea
    1 - How could you possible use a "guessed" client number without knowing "anything" about password encryption system they use? I mean come on what are the chances to guess a password that has probably been hashed and encrypted "the right way"?
    I already told you last time that no hash algorithm makes the passwords "immune" to attacks. If you think you're safe as long as you use bcrypt or something, you're wrong. A hash algorithm only slows down attacks. It does not and cannot prevent them.

    If the password itself is weak, then it will be broken, no matter how you've stored it. A hash algorithm only protects good passwords for a certain amount of time. It buys you some time for some users. Nothing more.

    Also, hashing has nothing to do with encryption. The whole point of encryption is that you can reverse it. Given the key, you can decrypt the ciphertext. A hash cannot be reversed. It's only a "checksum" of the input. The original content is lost. And that's exactly why we hash passwords and don't encrypt them.



    Originally Posted by English Breakfast Tea
    2 - On top of that, it wouldn't be easy to "guess" a client number, is it?
    Why? It's an 8-digit number. That's a pretty limited number of possibilities.

    Of course it's not "easy" in the sense that anybody could do it in 10 minutes using a laptop. Certainly not! If you tried, the police would be knocking on your door before you've even found a single account.

    But just because we cannot (and don't want to) do it doesn't mean that nobody can.



    Originally Posted by English Breakfast Tea
    3 - I realise quite often simple encrypting functions gets disqualified. I really like to see how a hacker can try to find out what these strings are. You mind a preview please?
    I think I already told you. Generic hash algorithms can be attacked by simply trying out input strings until the hash matches the one you want to break. There are tools for this like Hashcat.

    Ars Technica has a great article about this.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2013
    Posts
    12
    Rep Power
    0
    Yeah, Secured from SQLI, XSS, etc.. No idea about the rest.. but it seem to be very secure.
  24. #13
  25. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,650
    Rep Power
    171
    Originally Posted by BarryG
    ANYTHING exposed on the internet is ultimately crackable, given enough time and willpower
    This is something Jacques1 might agree with.
  26. #14
  27. No Profile Picture
    Super Moderator
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,007
    Rep Power
    2791
    Originally Posted by Jacques1
    Claiming that an attacker can't use the customer numbers is very naive.

    First of all, what makes you think that the site is somehow immune against brute force attacks? You cannot prevent this kind of attack, only slow it down. Every locked account will eventually be unlocked again. And most websites only check the login attempts for each individual account, not the total number of failed logins. In this case, an attacker would simply try one password on many accounts instead of many passwords on one account.

    Sensitive data like customer numbers is also commonly used for social engineering, because it creates trust.

    Never underestimate the creativity of attackers. A customer number alone may seem harmless. But people can combine it with other data and use it as a basis for other attacks. Just because you wouldn't know what to do with a customer number doesn't mean that nobody knows.
    I was about to respond with the fact that banks require a CAP security system for online banking, making most attacks pointless, when I checked and found that only two countries in the world have it established, mine being one of them. In order to log in, the customer number, surname, password and a one-time CAP authentication code are required. Making a successful brute force attack unlikely.

    As I mentioned, revealing that a customer number is valid is a security oversight and should be fixed.
    [PHP] | [Perl] | [Python] | [Java] != [JavaScript] | [XML] | [ANSI C] | [C++] | [LUA] | [MySQL] | [FirebirdSQL] | [PostgreSQL] | [HTML] | [XHTML] | [CSS]

    W3Fools - A W3Schools Intervention.
  28. #15
  29. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    Originally Posted by English Breakfast Tea
    Originally Posted by BarryG
    ANYTHING exposed on the internet is ultimately crackable, given enough time and willpower
    This is something Jacques1 might agree with.
    This is something everyone working to develop products and services for the internet should agree with. Not just security conscious developers, but everyone in the industry including manages, owners and the work experience lad/lass making the drinks
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo