Fortify lists outputs the following line as vulnerable to attack under the category - Password Management : Hard coded Password. Though I've not hard coded the password. Why is it showing that as a vulnerability, and how do I fix it?
txtPassword.style.visibility = "visible";
Thanks in advance!
I do not have visibility to the internals, but it appears that as part of the 'Structural Analyzer', the Fortify tool searches for text that may indicate that there is a password stored. It cannot tell if there is a password hard coded, but, based on a conversation with an HP Fortify consultant, Fortify leans toward flagging an issue if at all in doubt, allowing the person(s) remediating the audit information to determine if it is a vulnerability or not.
The following text example trigger a line of of code to be flagged my code base.
Password
password
Passwd
passwd
There are a couple of ways to remediate the issue and the correct one for your organization may depend on the work effort:
Mark the flagged issue as 'Not an Issue', indicating that this is a variable/control name and that a password is not hard coded in the code.
Rename the variable/control name to something that would not be flagged - txtPwd may be an option in this case.
Related
I recently logged into a website (student run club website which stores event and participant information).
After successfully logging in the following message appears and follows me around for the rest of my time on the site:
You are using an insecure password. The password that you entered has
been exposed in at least one data breach.
How do you know my password is insecure? This password appears in a
database of known passwords. Hackers may use this password to try to
break into your accounts.
While I appreciate the notification that my password was compromised (and should know better and will change and stop reusing passwords etc etc) I now worry about the overall security of this site.
I don't know a terrible lot about web dev but my naive assumption, given this message and the fact that it appears after log in, is that my password must have been stored in plain text for them to be able to check it against a database. Is this correct? Or is there some clever secure way this could be done?
Just because you are receiving a notification from the site doesn't mean that your passwords are being stored in plaintext. Whatever website you are using can use your password in the "Have I Been Pwned" API before encrypting them. This of course doesn't necessarily mean that they are encrypting them as there isn't really a surefire way to know how they are storing your passwords without possibly contacting the owner or if you were to receive an email at a later date with your password in it.
You can read up on the API for password checking here haveibeenpwned.com/API or you can check for the website you are using in this list here haveibeenpwned.com/API/Consumers.
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
There was a POST value in one of my fields that i accidentally forgot to escape. I found out that my database was compromised.
I changed my code escaped the values and I am also now using prepared statement, preventing myself from this happening again.
What do after I made the changes?
Do i need to change the table name, change the password on the database??
Can the hacker still access my table?
You should change your database immediately, the hacker had already got your database password in last hacking process, if your database's post is open in your server, the hacker can control your database directly. changing the table name is useless, hacker can use some normal command show your table name if your website have SQL injection 0day.
Maybe you should install some security software for your server or use the CDN protect your website.good luck.
What is the simplest way to make a page accessible by username/password? In school I learned to do this on the server side using sql and java. I'm wondering is there a way to do this only on the client side?
EDIT: lol... based on the responses, I probably should say why I specified client-side. I'm being asked to load an extra page into our company website that is supposed to aid some of our employees. I didn't design this extra page, and I was asked to put this up with a very simple log in. Granted I need to confirm with my superior that a client side login is ENOUGH, I just wanted to know if it could be done IF they decide that it's not all that important. The page itself won't have a link on the site, so unless someone knows it's there or decides to snoop, nobody will even know it's there.
You can save your page into a directory protected by .htaccess file.
That would be server side (you have to upload a .htaccess file into the directory).
But client side? Hmmmm the only thing I imagine is to create a DIV with position: fixed that would be over all your page content.
Ask for a user and a password, then check them using Javascript (this is client side), then you add property "display: none" to the DIV that is containing the login view.
That would hide the login view and show the page that is below it.
This is a HUGE security problem in my opinion. I could easily edit your web with Firebug and add Display: none to the div without entering a password.
However, as the password IS in the Javascript I could look at it anyway just viewing the source code.
The easiest is probably server side apache authentication. Use these two generators for that:
http://www.htaccesstools.com/htaccess-authentication/
http://www.htaccesstools.com/htpasswd-generator/
Just on the client side, using javascript it's never secure enough. But there is way:
if( prompt('Enter password') == 'password' )
{
// we are okay
}
else
{
// password is wrong
}
For more robust example, with username see http://jsfiddle.net/7mZYQ/2/
Well you could try a basic JavaScript dummy with HTML inputs that would somehow offer the slight illusion of password protection. Otherwise, create an HTML form and go with PHP Sessions. These are probably the languages with the most tutorials around so it wouldn't take you that long to pull it off.
You cannot do this securely only on the client side, it would require you to perform authentication of the user inside the browser. This means your whole userbase would have to be loaded in the browser memory in some form, likely in javascript which makes it unsafe.
For a simple authentication mechanism which involves the server to a minimal extent look at Basic Authentication.
No, it cannot be done on the client side. At least not in a secure manner. Client side (password ) validation is very easy to bypass, because clues (such as the password and/or the content you want to show when the correct password is entered) are given to the user.
If you think about what "client-side" means, you'll understand why it wouldn't be possible. On the client side, all information is processed and all data is stored on the client's machine. Thus, in order to check passwords totally on the client side, you'd have to have the entire list of usernames passwords saved to every single computer that your site interacts with.
Keep in mind, also, that anything "client side" is inherently less secure than it would be server-side. So even if you could do this, it'd probably be a bad idea.
Now, that being said, here's how you could do it:
Come up with a password (note that you'll have to use a master password, not individual ones), hash the password, and store the hashed password in a variable, or something. It may sound insecure, but if you're hashing the pw, you could send everyone a personalized email with the password and it wouldn't make it any easier to hack. Hashing is a one-way operation. There is no way to reverse engineer it. Do make sure to make your stored password a constant, though, or someone could just change the value of their hashed password last minute to match your stored one. Give the css rule Display:none; to your data with css so that it hides. Now prompt the user for a password. Then, take that password and run it through the same encryption as you did when you created the password. If that value and the one you stored match, bingo. Just revert your display:none; and you're good to go.
Though I guess that still leaves the problem of somebody just firebugging your display:none away. Guess you'd have to encrypt the data on the page too.
So I've been working on an application that has woeful access control up till now, and needs a proper solution ASAP. I've added in the CakePHP Auth and Acl components as per the tutorial in the Cookbook, and it all works pretty well, insofar as if I add a user manually, it creates an entry in the aros table appropriately, SHA1-hashes the password appropriately, all the good stuff.
Now for the bit that's proving a little beyond my skill level. We have 1000+ names in a database that need to become Users under the new system. I tried dumping them into the Users table with a MySQL query, but there are two issues:
(1) Doing things this way is not creating entries in the aros table. I'm pretty sure I can rig this up to work given time, but are there any shortcuts I might want to know about?
(2) This is the one that's causing me to scratch my head. When I add a user manually, their password is automagically SHA1-hashed. When I log in from the users/login page, the password I enter is correctly matched to the hashed password in the db, and I get access. However, no matter what I do to the passwords I dumped directly into the database, I can't get the log in page to grant access to them. Initially I hashed them with the MySQL SHA1 function; I understand this may not be a good idea, because Cake sprinkles in extra salt. I tried hashing them through Cake's Security::hash function. I tried letting Cake save each password into the Users table itself, letting it do whatever hashing it wanted behind the scenes without interference from me.
In none of these cases am I able to log in using one of these username/password combos. The passwords look good and hashed, and they match the passwords I'm entering after I apply Security::hash to them. What am missing that will enable me to get this working?
If I were in your position I'd build a Shell to handle doing this for you, that way you can utilize all of the stuff Cake has through that such as automatically adding a new ARO record and using Security::hash to handle the hashing prior to saving the record.
For the record, it wasn't a problem with hashing. I wasn't specifying the usergroup_id at the point of saving (was planning to set it later!). I guess you can't log in with an account that isn't part of a usergroup, even if your username/password combo is correct.