Javascript hash in AJAX connection calls, more security?

From a lot of posts I’ve seen on the site, logins performed by AJAX or traditional forms are just as secure as one another. (re: Login/session cookies, Ajax and security Ajax login and javascript cookies, is this secure?)

My question(s) is/are:

  1. If I hash the user’s password (via client-side/javascript hash libraries) before I send it to the server, do I increase security from people easedropping?

  2. If I put a form token (one random based, another time based), does that cover CSRF attacks?

  3. Would I have all my bases covered after all this? Would this form be secure?

Actually this could be a major security problem. The reason why passwords are hashed is a means of planning on failure. An attacker might gain access to the data store (sql injection) and then obtain the hash. If you are just logging in with a hash, then the attacker doesn’t have to crack the recovered hash in order to gain access to the application.

Replay attacksare also a problem. If I sniff the hash during authentication, whats stopping me from just replaying that request to authenticate?

Protocols that use message digest functions for authentication provide the client with a nonce, which is used as a one time salt. Microsoft’s SMB NTLM authentication is a good example, but it has had a lot of problems
.

USE SSL, and not just for login. OWASP A9
states that the session id must never be leaked over an insecure channel. After all who cares about the password if you just spill the real authentication credentials a few milliseconds later.

Most people don’t implement CSRF protection for login. After all the attacker would have to know the password in the first place, so “session riding” is a moot point.

Hello, buddy!责编内容来自:Hello, buddy! (源链) | 更多关于

阅读提示:酷辣虫无法对本内容的真实性提供任何保证,请自行验证并承担相关的风险与后果!
本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 前端开发 » Javascript hash in AJAX connection calls, more security?

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录