Programming C, C++, Java, PHP, Ruby, Turing, VB
Computer Science Canada 
Programming C, C++, Java, PHP, Ruby, Turing, VB  

Username:   Password: 
 RegisterRegister   
 How do I write a security script so that it only allows users that have logged in to access this page?
Index -> Programming, Visual Basic and Other Basics -> Visual Basic Help
View previous topic Printable versionDownload TopicSubscribe to this topicPrivate MessagesRefresh page View next topic
Author Message
bublik




PostPosted: Sun Oct 28, 2012 9:44 pm   Post subject: How do I write a security script so that it only allows users that have logged in to access this page?

So i know i can redirect all other users back to the start login page with "Response.Redirect", but how do i determine if a user has logged in or not?
Sponsor
Sponsor
Sponsor
sponsor
Tony




PostPosted: Sun Oct 28, 2012 9:53 pm   Post subject: Re: How do I write a security script so that it only allows users that have logged in to access this page?

Since HTTP is stateless, cookies are typically used to keep track of user's state. http://en.wikipedia.org/wiki/HTTP_cookie
Quote:

authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under.

Keep in mind that cookies are stored on the client side, so clients can obviously also write and edit whatever state in the cookie. Storing information such as logged_in_as= eve admin is a bad idea.
Latest from compsci.ca/blog: Tony's programming blog. DWITE - a programming contest.
mirhagk




PostPosted: Mon Oct 29, 2012 7:47 am   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

generally you store a session ID in the cookie, and you can use that session ID to see what the user is logged in as.

If you're using ASP.NET there are mechanisms to handle authentication for you (because in general you shouldn't handle security applications yourself). The following are some good articles on it:

http://www.codeproject.com/Articles/98950/ASP-NET-authentication-and-authorization

[url]http://msdn.microsoft.com/en-us/library/eeyk640h(v=vs.100).aspx[/url]
bublik




PostPosted: Mon Oct 29, 2012 4:22 pm   Post subject: Re: How do I write a security script so that it only allows users that have logged in to access this page?

Cant I just use session variables? from login.asp

So I can do

login.asp
session("LoginUser") = UserP
Response.cookies ("LoginUser")
next page
if request.cookies("LoginUser") <> UserP then
response.redirect ("Login.asp")
end if

??
mirhagk




PostPosted: Tue Oct 30, 2012 8:31 am   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

it looks like that example is using cookies not session variables. Just make sure that the value is a temporary and if changed can't give someone admin access or anything.
QuantumPhysics




PostPosted: Tue Oct 30, 2012 3:49 pm   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

If you are making a project for a company or for work, I suggest you take it to the level as explained by Tony. If you are doing it for fun, then just use the easiest and least efficient method, just that works. Anything you do can still be brute forced or algorithmically bypassed. There is no point of hassling over something heavy that can be penetrated so easily (Especially if you are working with ASP.NET)
mirhagk




PostPosted: Tue Oct 30, 2012 10:15 pm   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

Yeah.... because ANYTHING can theoritcally be cracked we should just have no security. Tell google to cancel their HTTPS certificates, RSA encryption can be bruteforced.

Just because something theoritically can be bruteforced doesn't mean it's possible to do so within your lifetime.

For instance if you use a session token that's let's say, 64 bit (8 bytes, ~10 characters in base 64), it'd take 2^63 tries just to get a 50% chance of getting it. Assuming you can try once per ms (because you have super internet) it'd take you 292 million years to crack it....

As for the security of ASP.NET, I'd say if you found any actual security problems with it, then you should probably go to bank of montreal's site and use it. They use ASPX for their server, as do MANY companies, and they count on the security built in.

It's actually fairly easy to make your system pretty secure. It just requires awareness and understanding. You don't have to know how to implement RSA in order to understand that it's only potential attack vector is man in the middle attacks. Then you can simply use a certified, commonly used implementation that is from someone you can trust (and possibly sue).
QuantumPhysics




PostPosted: Wed Oct 31, 2012 6:56 pm   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

There are many attack vectors. I prefer Packet Injection and scanning for open ports. Most encryption nowaday is 40-bit or 128-bit. Rarely do I run into 192-bit. Nevertheless, google is a very good search method for encryption algorithms. Anything that is out there is on google. Just find out how the layout moves how many packets are moved here and there and you should be right in the doors of the decryption method, I find the most common one is RC4 encryption or the alphaSec encryption. What you can do from there really depends on the amount of knowledge you have with the "priveledge escalation" and yes I put that part in quotes for the fact that - I use backtrack 5 and armitage to gain further access after the key is accessed. Hey, anything is possible. It just takes time - Unless your scripts are already set up.

RE: Depending on your set up script it will still take time even after you launch it.
RE2: Finding out how the packet structure is made isn't even close to the end of the road but it is somewhat a synopsis of it.
Sponsor
Sponsor
Sponsor
sponsor
mirhagk




PostPosted: Wed Oct 31, 2012 8:28 pm   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

QuantumPhysics..... do you deliberately google just enough to put some keywords in a post without having any understanding?

Mathematically there is no way do break any reasonably long RSA encryption within our lifetimes.

40 bit encryption means there are 2^40 different keys. Assuming the cipher isn't broken, you are left with 2^39 different possible keys to try before you can get a 50% chance. THAT'S STILL 17.5 YEARS!

Re: Packet injection
The only thing you could really do is forge new packets, but that basically wouldn't give you any more power than just writing your post/get calls, which unless the server has an obvious flaw, is none. You can't even forge packets from someone else unless they are on the same network, and sending stuff unencrypted.

Re: Scanning for open ports
So yeah... you can connect to ports other than 80, maybe port 8080, 22,23, or some other port that's for some service. That doesn't give you any more power than anyone actually using those services, so as long as the server isn't doing something stupid, you're not going to get anything there.

Decryption algorithms are completely open, that's the first rule of developing a secure encryption system. The decryption relies on a key however, which except in the case of a broken algorithm, can't be obtained. Even with broken algorithms you will need doctorate level math in order to break it. I can almost guarantee you don't understand the level of mathematics required to even understand the crack, let alone use or derive one yourself.

Stop acting like your this hotshot hacker guy, and actually learn about the concepts you misuse in every post. Otherwise show us your an awesome hacker, by DOING something.
QuantumPhysics




PostPosted: Thu Nov 01, 2012 8:52 am   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

What would you like me to do - to "show you"?
mirhagk




PostPosted: Thu Nov 01, 2012 11:34 am   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

Well since you think you can break HTTPS connections, get into a mainstream site, like facebook. I don't want you to log onto my account and post "durp I called support and now I has hacked this", I want you to pm me my facebook password.
https://www.facebook.com/mirhagk

Why do I ask for my password, because my password is unique for facebook, and moderately secure. Encryption ensures that the password can NEVER be recovered.

When you fail to get my password, let me know, and I'll get you an easier site to "hack". it'll be something that I can throw together, so very basic security.
Dan




PostPosted: Thu Nov 01, 2012 9:26 pm   Post subject: Re: How do I write a security script so that it only allows users that have logged in to access this page?

QuantumPhysics wrote:

What would you like me to do - to "show you"?


Yes, i would.

QuantumPhysics, I find it very unlikely that you can break RSA encryption or any other commonly used encryption algorithms. As a more reasonable test then what mirhagk offers, and one that would not break any laws I have attached two files to this post. rsa.txt, is a RSA encrypted file encrypted with public key that only I have the private key for. aes.txt is an AES encrypted volume which only I have the key for. RSA encryption was done with OpenPGP and the AES encryption was done with truecrypt.

If your claims are true you should be able to show us the plain text. There are no tricks involved, and theses are examples of encryption you are likely to find in the real world.



aes.txt
 Description:
AES Ciphertext

Download
 Filename:  aes.txt
 Filesize:  1 MB
 Downloaded:  181 Time(s)


rsa.txt
 Description:
RSA Ciphertext

Download
 Filename:  rsa.txt
 Filesize:  327 Bytes
 Downloaded:  193 Time(s)

Computer Science Canada Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more!
mirhagk




PostPosted: Fri Nov 02, 2012 11:53 am   Post subject: RE:How do I write a security script so that it only allows users that have logged in to access this page?

Thanks Dan, I was thinking of preparing something like that, but I didn't get around to it.

For the RSA one you can even give him the public key, as that would normally also be public information.
Dan




PostPosted: Fri Nov 02, 2012 5:28 pm   Post subject: Re: RE:How do I write a security script so that it only allows users that have logged in to access this page?

mirhagk @ 2nd November 2012, 11:53 am wrote:

For the RSA one you can even give him the public key, as that would normally also be public information.


Good point.

code:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mM0EUJMtDAEGAKsjYfFTYDToDkEsbCtpq7zT78mJRhlgQ+xm+x+k5+D71s3fW2RF
Rjg9REJfAhBDEyCwtEkbWeHX/nExbMxPXg6arvUNLcGVYVwR62rBKHfAnKaB0/oD
0sL/MNkge8hBMdKagLAzEAElGixpmfUDsiGOsyMfgMPkrk56BCXIJmEv70z+912q
MzleENV43+vYSOUsKYS1mYv5eAJRaFjZbBAM9POr8yuFWb3+qlQfTXJVOz0CWBUY
vXffBswm0F6VmQARAQABtBZIIERhbiA8ZGFuQGNvbXBzY2kuY2E+iPgEEwECACIF
AlCTLQwCGw0GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENgoY124T2RnzZ8F
/3kar1foTP8N/SY5xkFcgwmoCJtYhzV4zevaA5elNJ68BWjxily4v3xoliHUesAr
g6XlG9uXEIa3H5gsMGGsBtWOdFl5sbBWuy1RdiSk0X/p/wt40Hlg6zRoy9hmn4NU
riMn+MudK3Q/CIO7NIxXZOjLVzmFPAnJOw56O8FHn7t6IKK1keY6Zav+O6T5qsEE
1KoA9CaE/mdgQo1gL+W1WJdTB6VCcT2QNfVetG+R5CJQwpjfpRVoyryUTVS3nnrm
Ew==
=Zb+t
-----END PGP PUBLIC KEY BLOCK-----
Computer Science Canada Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more!
Display posts from previous:   
   Index -> Programming, Visual Basic and Other Basics -> Visual Basic Help
View previous topic Tell A FriendPrintable versionDownload TopicSubscribe to this topicPrivate MessagesRefresh page View next topic

Page 1 of 1  [ 14 Posts ]
Jump to:   


Style:  
Search: