adding in security questions so that users may reset their passwords if they exceed maximum attempts. is it bad to do hidden fields such as these for authentication mechanism?
<input type="hidden" name="securityAnswered" value=true>
<input type="hidden" name="exceededAttempts" value=true>
could a user go in and edit these hidden fields from the client side?
could a user go in and edit these hidden fields from the client side?
Of course! Anything on the client side can be edited. You cannot stop users from doing that.
You have to keep in mind that the client can post to the server any content, any time.
yes of course , any one can change it by clicking in ctrl+maj+i
Yes, penetration testers do this all the time using intercepting proxies such as Burp or Zap.
https://portswigger.net/burp/proxy.html
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
There are many other ways of modifying such data, including developer tools in the browser.
Related
What are the benefits (if any) of using type="password" vs. type="text" when creating a form for account creation on a website? Besides a create and confirm, is there a defined best practice?
The obvious reason is, that you can type the password, even if other people are watching the screen. Often i have this situation when i publish my desktop in a presentation, or if i need to give support to other users.
Besides hiding of the characters, the browser (or desktop application) will also prevent copying the content from the password box. This is one possibility less for other applications to misuse the passwords.
I might me wrong but as far as i know the only benefit of using type="password" is that another person can't see what you're typing. But the value behind that is transfered in plain text if you dont use https.
If you use the password type, the text will be hidden by black dots (or * or .) whilst text entries are displayed in plain text.
Also, if you're using forms with passwords, make sure to use HTTP POST as opposed to HTTP GET. Because on the latter, the entries are visible in plain text inside the options section of the URL (see the difference between HTTP GET and HTTP POST there: http://www.w3schools.com/tags/ref_httpmethods.asp).
You can do that by specifying method="post" as an attribute of the <form> tag.
I have many websites like Facebook where we write a email address and we just click a button, from this a list of email address's rolls down.
Can anyone tell me how this is achieved? Can it be done with just HTML or do i need to learn any other language?
This is accomplished using Javascript or AJAX requests to query the databases "live" and the return a data set. If I understand you correctly like on Facebook where you type in a Friends name and it will pull back a full list of names which may be your friends.
Jquery, Ajax, Javascript, PHP and Mysql would be some good researching points.
It would be worth searching for "How to create a PHP Ajax request to auto populate HTML fields"
If you are referring to Auto Complete within a browser this is a local setting which is controlled by the end user or their administrator and from what I am aware from HTML alone you can not manipulate this.
I fully agree with Steve's answer. In addition you might want to check out the following:
http://ajaxdump.com/2010/08/11/10-cool-auto-complete-scripts-using-ajaxjquerymootoolsprototype/
http://www.freshdesignweb.com/jquery-ajax-autocomplete-plugins.html
Hope it will help you
Well i go on and search a lot and then i found this is very simple!!
you just need is to type autocomplete = "on" and give it a name and then make a submit button
the code goes here:
<input type="text" name="Name" autocomplete="on" />
<input type="submit" />
I received a bug report this morning that browsers were offering to remember the password from our website's sign up form, but not regurgitating it on the login form afterwards.
My initial suggestion was to disable autocomplete on the password field of the signup form so that users wouldn't have the option to store credentials until they logged in for the first time.
However, my project manager asked me to research exactly that, whether or not it's possible to have browsers store credentials after submitting an account creation form and then properly fill in the login form upon later visits to the site?
Besides this convoluted explanation, I don't even know where to begin researching, so I'm turning to the community to see if you guys can point me in the right direction, or at least give me the right words to search for.
Thanks!!
Did you disable autocomplete on one field or complete tag?
Disable browser 'Save Password' functionality
<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
I've researched it and cannot find a standard, dependable way to make a browser prevent autofill and not remember the password in a standard login form.
This is important to me as I'm working on a mobile web app, so if the user clicks logout and someone else gets hold of their phone, the browser shouldn't help them out by just handing them the password!
The only solution I can come up with is to make the password field type="text".
Sure, this would mean people can 'shoulder surf' and see what the user is typing in, but that same person could almost as easily just watch the user's fingers to see what password they're typing in...
I don't think spyware is a real issue here either, as I don't think a type="password" character mask is going to stop a malicious keylogger, etc. from doing its stuff.
So, I'm wondering if there are any other security concerns that I may have missed for using type="text" for a password field?
Maybe if I combined this idea with a dynamic/random 'name' attribute for the input, could I be onto a winner?
NB - The solution needs to be compliant with XHTML Mobile Profile.
Also, please refrain from advising me on what is semantically correct here. My priority is security, not semantics. :)
Bad idea - The browser will remember text fields, it just wont enter them automatically as it does with passwords. Instead it will suggest the password as an autocomplete for all to see. I also think reading a password over someones shoulder is much easier than reading their keystrokes.
The reason some browsers dont respect the autocomplete option for passwords is probably because passwords are handled by a separate (in theory more secure) method for handling/storing password data - obviously by using a text field you are bypassing this system with whatever risks that entails.
I dont think there is a definitive solution that doesnt involve js, since at the end of the day you have no real control over what their browser remembers. You can only provide hints and suggestions. Which will be handled in different ways by different browsers. Your best bet is to start by adding :
autocomplete="off"
to your form and input. Works in most browsers - but not all.
The above would go in your form tag and your password input tag, something like:
<form id="form1_randomstring" name="form1" method="post" action="process.php" autocomplete="off">
<input name="password_randomstring" type="password" value="">
As you said in your question, randomizing the form and input names will also trick some browsers into thinking it is dealing with a different form
Also, browser will be extra conservative about what they remember if you use ssl. So this may help.
Finally, as another layer of protection you could have a little onload jquery to clear the form field manually on docready:
$("input[type='password']").val('');
Obviously no help if not running js.
The Definitive solution (maybe?)
You could go a step further and inject the form field using an ajax call (plus generating the random form names + autocomplete and serving the page through ssl). Meaning js would be a requirement for logon but you could then make sure the field was clear and generate the form after page load. I would challenge any browser to complete it then.
If you went for that option both the outer page and the ajax loaded page would have to run through ssl - If you didnt want this an alternative might be to load the ssl form through an iframe (again trade-offs -user base would need to be considered.)
Depending on your requirements and userbase, this could present the most guaranteed option.
NOTE
Autocomplete="off" may not pass strict XHTML validation. An option then may be to add the autocomplete attribute after page load with jquery (again, obviously this wont work without js enabled):
$('#form1').attr('autocomplete', 'off');
As an added point, The simplest way to prevent a key logger would be to provide a select option drop down box and ask them to enter a letter/number from their password. Practically speaking you would have to limit passwords to alphanumeric and ask the user to enter at least three letters/numbers from their password in a series of drop downs.
Summary
No perfect solution but lots of options, you'll have to consider what is right for you. I would maybe go for the ajax call as the main method. You could initially load a link to the form and dynamically replace it with the ajax content so that there is still an option for non js users (less users compromised by autocomplete)
A registration webpage impressed me by knowing all my name, address, email, telephone number.
This is the first time i visit this website.
I guess that it might remember from other website with same id or name such as id="firstname"
id ="telephone" but i don't know exactly what is going on. How to implement this ?
Edit - Add more information.
I have done nothing, value is just appeared as page load.
This is what i got from view source.
<div class="ui-form-field" id="ohfirstNameField">
<input class="ui-form-field-text ui-corner-all" name="ohfirstName" maxlength="4000" type="text" id="ohfirstName" required="required" value="Sarawut" />
</div>
I have seen that before as well, and here is my theory. I believe the browser is storing basic information for you. A separate website cannot read any cookies not generated by itself (that would be a huge security issue), so that can't be it.
I think it is just a few fields that the browser stores. How to get at them, I am not sure. Is this Google Chrome you're talking about?
You could use OpenId to get a similar effect. The user will be asked, if he allows the authenticating site to his data, but if admits it, you will be able to prefill your form with data from the user.