0

1 . How to make a captcha code unhack able ?
I have make a captcha with numeric & alphabits in 4 digits , if i use captcha in signup & login form than how much chances to hack web ? I already used md5 hash and salt in my join & login script

2 . How to many ways a hacker can hack a web ?

4
Contributors
3
Replies
56
Views
4 Years
Discussion Span
Last Post by jkon
1

How to make a captcha code unhackable ?

What do you mean by this? Captcha is meant to protect against automated scripts and robots (it tries to confirm that the human is using the service). It is not meant to protect from unaothorised access fom hackers.

How to many ways a hacker can hack a web ?

Most common: SQL injection, Cross site scripting or XSS, session hijacking, but there are many others.

A good starting point for securing your web app is OWASP, escpecially the OWASP top ten cheat sheet.

Edited by broj1

1

Hi,

I totally agree with Broj1. To answer your 2nd questions, there are no definite numbers of ways, it all depends on what will comes up on the black box. Any vulnerabilities found on the website are tested if it can be use to make a bigger splash.

About the MD5 hash this has been exposed and abused too many times already, even the so called sha is getting closer to be exposed in a broad daylight, but I will take sha rather than using the MD5. What is new in PHP 5.5.0 -> 5.5.1 is the stronger hashing called password_hash. For now, I think it will be nice and tight because it is an algorithm option as parameter.

Below is a simple class, I just jotted down on my notepad++ to test the new password_hash, but when I began to test it, I've realized that I was running PHP 5.4.7 on my localhost. So, I retracted back and added the SHA hashing method for backward compatibility. I was going to use this as a replacement for the kohana password handler, or in sentry 2, because I don't really believe in open source when it comes to hashing. I always have doubts and too suspicious that maybe someone left the back-door open.

I used MD5 here just for the purpose of creating salt and key. You can modify the script below to your own taste, it is just an skeleton for testing, and not intended for production server..But against MD5, I will take the class below at any time.

Here is the class... I really apologize if I talk a lot.. my mom told me I could really talk and type a lot, but I think I am just always amazed all the time :)..

    <?php
/*
 * This file is intended for php version >= 5.4.7 
 * 
 * Copyright Veedeoo 2013
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02110-1301, USA.
 * 
 * Password_Manager.class.php
 */


 namespace libs\managers\Password;
 ## for the autoloader use libs/managers_Passwords as namespace as suggested by PSR-0

 class Password_Manager{

   private $salt =  'hhfzZlZqARg39PtLpb7eog==';
   private $key = 'hhfzZlZqARg39PtLpb7eog==';


    public function __construct(){}

    /*
    *@salty generate md5 salt
    *
    */
    private function salty(){

        $Key =  md5($this->salt);
        return  $Key.'___';
    }

    /*
    *
    *@create = create password
    *checks if password_hash function exist, if yes will generate password using
    *php module password_hash @method create_pass. If not, will create sha1 based hashing @method create_sha.
    *
    */
    public function create($string,$hash_type = null){

        if(($hash_type === 'pass_hash')&& (function_exists('password_hash'))){


            $password = self::create_pass($string);
            $this_hash = 'pass_hash';

        }
        else if ((!function_exists('password_hash')) || ($hash_type ==='shah')) {
         $password = self::create_sha($string);
         $this_hash = 'shah';
        }

        else{

             $password = self::create_sha($string); 
             $this_hash = 'shah';
        }

        return array(self::salty().$password,$this_hash);
    }

    /*
    * @ create_sha = create sha1 based password
    *
    */
    private function create_sha($string){
        return hash('sha1',$string);
    }

    /*
    *@create_pass = create password hash using the password_hash
    *
    *
    */
    private function create_pass($string){

        $options = [
                            'cost' => 12,
                        ];

        return password_hash($string, PASSWORD_BCRYPT, $options);

    }

    /*
    *@method verfity = verify user on login
    *@hash_type = from database
    *@string = from form input by user
    *@hashed = hashed password from database
    */
    public function verify($string,$hash_type,$hashed){


            $hash = explode('___',$hashed);
            $salted = md5($this->key);

        if($hash_type === 'pass_hash'){

            return (((password_verify($string, $hash[1]))&& ($hash[0] === $salted))? true : false);
        }
        else if($hash_type === 'sha'){

            return(((hash('sha1',$string)=== $hash[1])&&($hash[0] === $salted))? true : false);

        }
    }


    /*
    *
    *@create_temp = create a temporary password for password reset resquest.
    *
    */
    public function create_temp($user,$email){
        $pass = hash('sha1',$email.$user);
        return array(self::salty().$pass,'sha');

    }
}

Here is my isolated test script, including the password reset method, just in case the user forgot..

When the user submit a password reset the password is hashed in sha, but on the newly created password it wil be the password_hash function. The above class can work within the older php environment and on the latest version.. the database table should accomodate a hash_type column for the temporary password for the users.

<?php

/*
* copyright veedeoo 2013
* isolated simulation test
*
*/

## change the file location, name and namespace as needed. 
include_once('../libs/managers/Password_Manager.class.php');

## change the namespace in reference to the directory where the class is located.
use libs\managers\Password\Password_Manager as reset;


$object = new reset();

echo '<h4>Password Reset Test</h4>';
print_r($object->create_temp('someone','someone@anydomain.com'));

echo '<h4> Create Test sha</h4>';
print_r($object->create('password','sha'));

echo '<br/>';

echo '<h4>Create Password Hash</h4>';
print_r($object->create('password','pass_hash'));

echo '<br/>';

echo '<h4>Verify Sha</h4>';
$hashed = 'put the genearated password here';
echo(($object->verify('password','sha',$hashed))? "verified to be true" : "Verified to be false");

echo '<br/>';
echo '<h4>Verify Password Hash</h4>';
$passhashed = 'put the generated password here by the password_hash';
echo(($object->verify('password','pass_hash',$passhashed))? "verified to be true" : "Verified to be false");

echo '<br/>';

that's pretty much it...

0

best4earn if there were a simple solution of what you should do not to be hacked then no one (or few) would be hacked. Understanding how web works and how hackers does will help you avoid the inexperienced hacking attempts (that are the most). There are some things that are being said fewer times, like clean code will help you and never have source code in public, but there are also some things that require more money and effort, like dedicated servers and strict production procedures.

As for the MD5 algorithm vulnerabilities to be honest I still don’t understand why so many programmers think that is a major thing and really I would like to understand it. Of course you don’t send a password from a user’s page to the server without hashing it (from first level validation e.g. through JavaScript), and of course the program is using a salt. So the thing is that somebody has gained access to your database and can retrieved the hashed with salt MD5 of a password that has already being send hashed ? Is this what we are talking about?

I will agree with veedeoo that even non complex custom security hashing classes that are using a mix of hashing algorithms are better than something that already exists. But I wouldn’t suggest it to anyone that doesn’t have a day or two to read some theory behind such practices.

Edited by jkon

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.