Improving security with JS - javascript

I’m trying some little ideas, and I’ve hit a snag.
At the moment, when a user logs in, their password is stored in a variable which is handled later. Obviously all one has to do to get hold of the password is to go into the developer tools or console or whatever and add a statement like alert(pass.value);.
I know this is unrealistic but its been bugging me. Is there any way of detecting an alert statement and scrambling the password somehow? A regex or string replace?
Thanks!

If you want to have a secure system, don't store the password on the client side. There is absolutely nothing you can do in JavaScript that will prevent somebody from accessing the password if it is stored in a JavaScript variable.
All of your authentication should be handled on the server side. If you are storing passwords somewhere, do not store them in plain text, and do not use a home-brew encryption method. Cryptology is full of minefields and it's very easy to get something wrong, and I would recommend using a well thought-out system like bcrypt.

I would advise against keeping any kind of credential information client-side. One viable solution that's easy to implement is is a security token password. A simple process would look like this:
User access website. Informs credentials.
Website validates credentials. Creates temporary token associated with user ID, stores it client-side.
User access website. Informs token.
Token is validated against storage, user identified.

Related

Authenticate a user by a given password and salt without knowing the encryption method

Story
I'm using SQL Server database, and there is a table called aspnet_Membership that it seems like it's generated by ASP.NET. The system's frontend no longer uses ASP.NET but still would like to authenticate users from the old database.
What I know
The Password and PasswordSalt columns in the table I think are essential to authenticate a user, however, I don't know what encryption method was used in the system.
An example of a password looks like this: K9YjVGWxF4bPQCvQ8VYA1vbQyCE= and password salt looks like this: CM9k+UbZuKTuFxI46vIVIA==.
There is also a PasswordAnswer field that it seems like it uses the same encryption method, but I don't think it would matter in terms of authenticating a user.
Question
How can I authenticate a user by the given password and salt (ExpressJS preferably)?
Thanks
You will need to find the method which is being used for logging in. In order to do that, open your web-browser, go to the main page of your application, open dev console and view the Network tab. Then log in, see where the request is going, analyse the code and find the method which authenticates your login.
Another way to find that method is to search for the usages of the Password field of the ORM used (if an ORM is being used) and finding where it is being stored at registration or settings edit, or when it is being authenticated at login.
If this fails as well, then search for the word of password in the entire source-code and see whether you find the authentication of password or the way the password is stored.
If this fails as well, search for the word of salt in the source-code and see if you find any useful results.
If this fails, then search for words like login or authenticate in your source-code.
And if all these fail, you will need to either get creative in your search or ask someone in the team who knows the answer.
When you find a method which takes a String as input for password and generates another String as output and checks it against your password and salt, then you found your method. Once you find your method, you will just need to ensure that you use it in your project or implement a similar way to authenticate users.

React authentication using localStorage

I am trying to figure out how to build a basic login/signup feature for my React application. So I am considering creating a HoC/parent class that does things such as logging in and checking if a user logged in.
SO now I have come to you to figure out the best way to store whether a user is logged in or not. What I saw is using localStorage. But that could be accessed by anyone really right so I can just store a flag saying isLoggedIn or something? Would I have to encrypt some token such as a username.password and then on every page load do a call to the DB? That seems a little much. Or have a missunderstood something?
You can use JSON Web Tokens (JWT).
When the user logs in, call say /login of your backend to check the password against your database. If successful, issue a JWT containing the username and its role, for instance (not the password).
You can always tell then if the user is logged in by verifying directly with Javascript the cryptographic signature of the token (if the readable content, such as the user name, has been altered, then the signature will not match anymore). This way you don't need to interrogate the database until the token expires.
What I saw is using localStorage. But that could be accessed by anyone really right
No. It also has the advantage over cookies that it is accessible only from the same domain. In principle there is a way that your token gets stolen (e.g. XSS attacks, or copied from dev tools on your laptop when you are away), but the expiration time that you will add to it will make it valid for only a few hours.

Obscure username and password in PouchDB

I'm experimenting with PouchDB and client-side Javascript. The example on the PouchDB site works great for me: http://pouchdb.com/getting-started.html. My question is, is there any way to obscure the username and password when I connect to the remote server? The code in question:
var remoteCouch = 'http://user:pass#mname.iriscouch.com/todos';
This is all client-side JS and publicly viewable. I'm stumped on figuring out a way around it.
When you're communicating between servers you can use SSL to remain secure. The client and server establish a secure connection before sending any data about the request (i.e. the file name, the basic authentication creds, etc.).
As far as what lives on the client side, it's more of a question of how secure do you want to be. Since everything is JavaScript, especially so with PouchDB, you have to settle for one of two things
Having a fancy switch that shows you menus or hides menus
In this scenario you have a main screen with all the important menus. The user either supplies the right password, which takes them to that screen, or the program says "Error incorrect username or password". But since it's all in JavaScript, anyone with enough knowledge of your system could say something like MyApp.User.isLoggedIn = function() { return true; };.
Encrypt what you need
If there is sensitive data on the client side, you can ask them to supply their password and encrypt the sensitive data using that password. Depending on the payload, it may or may not be too performance intensive. You might have to implement your own sessions in this case so you don't end up keeping that password or sensitive data around in memory. Then all Eve would have to do is go to the JS console and hit console.log(MyApp.User.password);. Even though the password is hashed and salted (or should be), Eve likely still has access to the hash function and salt.
Good luck! Would love to hear what you come up with.
If the username and password are to be provided by the user, you can present them with a login prompt and use a secure CouchDB session cookie. The cookie is tamper-proof and will be deleted when the browser session ends or you explicitly delete it.

How to create a password protected application in javascript?

I made fire fox add-on using java script. I want to give password protection to this add-on. Where can I store the user password permanently ? How can I do this?
The best solution would be to store on an external storage. Just like websites. You send the authentication data, server checks for user and returns true or false. There are a few problems with this. If you want to restrict parts of add-on for non-registred users, that's not possible. The whole code is available to the user and he can modify it.
If you create a website specific add/on search for a data (most likely in the cookies and preferences of the website) that is a secret, unpredictable, unique and uniform for a single user. You can hash that and use it as a password. Along with the username of that specific website. This way you can avoid registration.
Server communication trough HTTP is not too secure, but hey, most websites still use it.
If you don't have an external server available, you can use local storages like a SQLite, or i you have a single password you can use the preferences which are also available under about:config. But these are far from permanent. It's there until the user reinstall operating system, which unfortunately is quite common.
If you want closed source to hide storage mode, hash generating or something like that XP-COM components might help you but I don't recommend because it's really hard to maintain (all versions on all platforms).
If the password is required to authenticate the user to a server then you should use nsILoginManager to store it. The password will be stored encrypted on disk if the user defines a master password. If you want to protect the extension's user interface from the user then it doesn't matter where you store the password - this kind of protection works only against inexperienced users. E.g. you can use Preferences to store it.

Transfering user name and password data from one login page to another login page

Hey am just curious to know if this can be done! I want to make a page that takes user name and password, and on submit, transfers the exact data right into the login form of a website(eg google, yahoo, facebook etc etc) and submits it right away. Please tell me how this can be achieved!
Thanx in advance!
Without installing plugins to enter the data and submit, no. You can't execute your script on a site from someone else. That would be too risky security wise.
Create private encryption method encrypt username and password save that as cookies and than to access your cookies and than decrypt those cookies again.
in short make use of cookies and if you neeed security care private encryption/decryption method.
Cookies are probably going to be your best bet. It might be difficult to port them from one page to another except these are webpages you have designed yourself and have declared variables to auto-fill the text-boxes.
Another approach will be to modify the code of these pages (if you have access to them) and use PHP and Ajax to connect to a database e.g a MySQL database (could be a database like Xampp running just on your local machine) and auto-fill the text-boxes.
Check this guide, it is a little similar to what i think you are trying to achieve
http://www.w3schools.com/php/php_ajax_database.asp

Categories