How can I suggest a list of alternate usernames in case user has selected an invalid or existing username?
The suggestions must be somewhat related. Do I need to use a dictionary of possible usernames?
It depends entirely on what you consider "related". It's hard to define such a meaning for usernames, as they often aren't normal English words. You might wish to create a unique username by appending a random stream of numbers, or by changing some of the letters to numbers ('e' to '3' etc). If you will update your question with what you mean by 'relevant' I will try and tackle that specific issue.
Bad idea. Giving away related usernames allows a skillful attacker to deduce which usernames are in use.
IE if I try and register 'RandomUser' and the system suggests using on of:
RandomUser1
RandomUser2
RandomUser3
RandomUser5
Then I can reasonably surmise that RandomUser4 is a valid username.
Look a this:
http://www.onesoft.dk/post/2007/07/ASPNET-AJAX-username-availability-with-suggestions.aspx
Its build using Ajax & JSON. I'm sure you will be able to adapt it to your technology.
Just add more info to the user name that the user seleced. If you colected also info like birthday, you can add to it the year:
user -> user1985
Or if you're getting a first name:
user -> jose_user
Don't use "automatic" information, because it would make it easy for attackers to deduce valid user names.
Related
So as the title says I'm curious, can user change the ID of an element through browser? I have a list of inputs - checkboxes, when you click on one of them ajax takes ID of that element and uses it to get data from database, so basically what I'm thinking is that if it is somehow possible to change the ID of the element my database wouldn't be secured. If that's possible, how I should protect it?
Okay, So I get the idea that it wouldn't be secured, If I'd use this way:
<?php
$mysqli = new mysqli("host", "user", "password", "database");
$usuario = $mysqli->real_escape_string($_POST["usuario"]);
$clave = $mysqli->real_escape_string($_POST["clave"]);
$sql=' SELECT * FROM usuarios
WHERE username="'.$usuario.'"
AND pass="'.$clave.'"
';
$mysqli->query($sql);
$mysqli->close();
?>
would it be enough, or there aren't actually safe enough way to protect data?
You are correct that this would be a security hole. The ID attributes could indeed be changed via the browser console.
Yes, they can change it or just make while request faked and you won't tell the difference. Rule of thumb here is NEVER trust any data that comes from user. It means - always validate, sanitize data on server-side, and always assume data that comes in request are there to fool/trick/hack you.
Yes. The user can do anything they like to the DOM once it is in their browser.
They can also execute any JS they like there.
You're worrying about the problem in the wrong place though. Your control ends at the edge of the webserver. Clients can make any HTTP request they like to it and include any id value they want. You need to address security there and not in the browser.
If you want to secure your database then you need to either allow no HTTP request to lead to the secret data being released / changed or you need to write server side rules that limit which HTTP requests can change them.
Typically this would involve Knowing Who The Request Comes From (Authentication) and Knowing Who Can Access Which IDs (Authorization).
A simple approach would be to keep a database that has a users table (including hashed passwords), a "things" table, and an ownership table (which has a column of user ids and a column of thing ids). If the request doesn't include a username and password you can cross reference from the thing id across the ownership table - return an error message instead of what was asked for.
Looking at the results of list, there is a lastModifyingUserName, but not a userid or other concrete reference to a user such that I can strongly verify that the file was last modified by me or someone else.
I can approximate this behavior using a string comparison of my user profile information, but this isn't an exact check.
I also looked at the timestamps, and timestamps for a file that was modified by me don't seem to line up, so it doesn't look like I can do this using timestamps either, which looks like a bug in and of itself, e.g.:
"modifiedByMeDate": "2013-01-31T02:25:26.738Z",
"modifiedDate": "2013-01-31T02:29:58.363Z",
Google are working on improving this so that there is consistency between the actor returned in the lastModifyingUserName field and the permission ID.
Right now I agree with you it is pretty impossible, sorry.
I found the following in the "e-mail" field of my newsletter subscriber database: ' OR 1=1/*
I know it's a SQL injection, but that's it. I've googled it a little bit, but I'm still on clear on what exactly it's trying to achieve. This occurred early Nov, and to my knowledge we had no outages around that time. Can any of you kind souls tell me what this guy was probably trying and do? Is there any way to know whether he achieved what he was trying to do?
I know virtually nothing about this and I'm worried. :(
'OR 1=1 is an attempt to make a query succeed no matter what
The /* is an attempt to start a multiline comment so the rest of the query is ignored.
An example would be
SELECT userid
FROM users
WHERE username = ''OR 1=1/*'
AND password = ''
AND domain = ''
As you can see if you were to populate the username field without escaping the ' no matter what credentials the user passes in the query would return all userids in the system likely granting access to the attacker (possibly admin access if admin is your first user). You will also notice the remainder of the query would be commented out because of the /* including the real '.
The fact that you can see the value in your database means that it was escaped and that particular attack did not succeed. However, you should investigate if any other attempts were made.
It probably aimed to select all the informations in your table. If you use this kind of query (for example in PHP) :
mysql_query("SELECT * FROM newsletter WHERE email = '$email'");
The email ' OR 1=1/* will give this kind of query :
mysql_query("SELECT * FROM newsletter WHERE email = '' OR 1=1/*");
So it selects all the rows (because 1=1 is always true and the rest of the query is 'commented'). But it was not successful
if strings used in your queries are escaped
if you don't display all the queries results on a page...
The specific value in your database isn't what you should be focusing on. This is likely the result of an attacker fuzzing your system to see if it is vulnerable to a set of standard attacks, instead of a targeted attack exploiting a known vulnerability.
You should instead focus on ensuring that your application is secure against these types of attacks; OWASP is a good resource for this.
If you're using parameterized queries to access the database, then you're secure against Sql injection, unless you're using dynamic Sql in the backend as well.
If you're not doing this, you're vulnerable and you should resolve this immediately.
Also, you should consider performing some sort of validation of e-mail addresses.
Its better if you use validation code to the users input for making it restricted to use symbols and part of code in your input form. If you embeed php in html code your php code have to become on the top to make sure that it is not ignored as comment if a hacker edit the page and add /* in your html code
Each parameter in a URL can have multiple values. How can I separate them? Here's an example:
http://www.example.com/search?queries=cars,phones
So I want to search for 2 different things: cars and phones (this is just a contrived example). The problem is the separator, a comma. A user could enter a comma in the search form as part of their query and then this would get screwed up. I could have 2 separate URL parameters:
http://www.example.com/login?name1=harry&name2=bob
There's no real problem there, in fact I think this is how URLs were designed to handle this situation. But I can't use it in my particular situation. Requires a separate long post to say why... I need to simply separate the values.
My question is basically, is there a URL encodable character or value that can't possibly be entered in a form (textarea or input) which I can use as a separator? Like a null character? Or a non-visible character?
UPDATE: thank you all for your very quick responses. I should've listed the same parameter name example too, but order matters in my case so that wasn't an option either. We solved this by using a %00 URL encoded character (UTF-8 \u0000) as a value separator.
The standard approach to this is to use the same key name twice.
http://www.example.com/search?queries=cars&queries=phones
Most form libraries will allow you to access it as an array automatically. (If you are using PHP (and making use of $_POST/GET and not reinventing the wheel) you will need to change the name to queries[].)
You can give them each the same parameter name.
http://www.example.com/search?query=cars&query=phones
The average server side HTTP API is able to obtain them as an array. As per your question history, you're using JSP/Servlet, so you can use HttpServletRequest#getParameterValues() for this.
String[] queries = request.getParameterValues("query");
Just URL-encode the user input so that their commas become %2C.
Come up with your own separator that is unlikely to get entered in a query. Two underscores '__' for example.
Why not just do something like "||"? Anyone who types that into a search area probably fell asleep on their keyboard :} Then just explode it on the backend.
easiest thing to do would be to use a custom separator like [!!ValSep!!].
I am modifying my PHP network's code to have "user roles" like wordpress here is my plan so far
0 = registred non email verified user
1 = registed and verified email
2 = moderator
3-9 = nothing yet
10= admin
In my PHP code I will use an array like this that will set what a role number does.
$user_role['10']
I was thinking of storing which value a user has in my mysql DB, would this be the best way to store the 10 different role options as an enum or is there a better way or faster way? I read that enum is not the fastest sometimes.
enum('0','1','2','3','4','5','6','7','8','9','10')
I guess INT or TINYINT is enough to store user level (role). Also you may consider multiplting the numbers by 10, so you'll have a space to add more levels in future.
Use bitmasks for permissions / user levels.
See example.