When I enter username, password and hit the login button, then a POST request goes to the server.
Does the password go in plain text format in the header? And so is https the only solution to encrypt the communication so an attacker cannot view it?
Related
I confuse session id and CSRF token. so I search about that and understand a little bit.
Session IDs are used to verify a user. CSRF tokens are used to verify request itself.
My question is when server send CSRF token to user?
For example
when client visit www.sample.com first time, sever send session id to client.(is that right?) client want to change his password. so he come to www.sample.com/change where client can change password and is located change button(post). And that time(when client visit www.sample.com/change) sever send CSRF token to client? or when client post their data then middleware send CSRF and compare before server got post data?
The server sends the CSRF token when the client visit the www.sample.com/change page. Usually, the CSRF token is embedded in the HTML file as a hidden html element such as <meta> tag or hidden <input> tag. Therefore, when the client sends a GET request to retrieve the www.sample.com/change page, the CSRF token will be returned as part of the HTML page.
Resources:
https://portswigger.net/web-security/csrf/tokens
Additional Consideration
Let's say we take the "middleware" approach described in your question. In that case, the CSRF token will be generated in the server upon receiving a POST/PUT request. Then, the server cannot discern whether the request is generated by the legitimate site (www.sample.com) or the impersonating site (www.malicious.com) because both requests can look exactly the same (note here that the malicious site can spoof request headers such as origin). Therefore this approach cannot prevent CSRF attack. The CSRF token needs to be sent from the client so that the server can identify the requests originating from the legitimate website.
I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.
Here are my questions;
Should I encrypt username and password in my database?
The client sends the username and password in the request body, Should the client send them in the header? And should they be encrypted?
Best Regards.
You should absolutely encrypt your password in the database. Even better if you hash it with "salt" (hashing will let you implement the log in logic, but the original password will be unrecoverable even if you know the hash).
Sending the password in the request body is fine if the connection is protected by TLS (HTTPS). There's no gain in putting it in the headers.
Usernames are often stored in plain text.
P.S. Your question has nothing specific to JWT, it is just general password management.
I'm currently working on a single page application that talks to a REST api hosted on a different server and protected with SSL.
I am wondering if I should set an SSL certificate on the server that serves the single page application or if simply setting it on the back end server is enough, by considering the following:
The single page application is an endpoint for reset password links with a confidential token in the query string. These links are sent by email to my users. When a user clicks on the link, his browser requests the single page application. The GET request is therefore NOT encrypted and nor is the query string.
The app then asks the user to enter a new password and this new password is sent via ajax to the back end, which is protected with SSL.
So my take on it is that it's worth setting up SSL for my single page application to assure security for the first consideration because the GET request is therefore NOT encrypted and nor is the query string and the token is sensitive information. However, it wouldn't be required if only the second consideration was taken into account since the connection between the single page app and the back end is done via SSL (because the single page app uses Ajax to communicate to an endpoint protected via SSL).
Am I right? Or completely sidetracked? Thanks!
Your intuition is correct. The only effective difference between your first and second scenario is that in (1) you are sending sensitive information (the token) to the front end server, and (2) you are sending sensitive information (password) to the back end server. So because you are sending sensitive information to both, they will both need to be secured by SSL.
If the front end server were not secured by SSL, here is a possible attack avenue:
Attacker MITMs the frontend server when the user sends the reset token in the query string, the attacker gains access to the reset token.
Before the real client can send a password reset request, the attacker sends the password reset request to the backend server.
The attacker sends the new password to the backend server. The password is reset to a password the attacker knows.
In no step does the attacker have to compromise the SSL of the backend server to pull off this attack on the frontend server. Of course the backend server will be receiving the password from the user, so it will need SSL too. In short, to protect against man-in-the-middle attacks you will need SSL for both of your servers.
When a browser client successfully submits the username/email and password to the server and the next request the client retrives data from the server how is the client identified being successfully authenticated already?
I found this info:
"After the user enters credentials, the browser automatically sends them on subsequent requests to the same domain, for the duration of the session."
From where does the browser take the credentials for each subsequent request?
Do I have to actively save the credentials somewhere? How is the magic happening?
Once the user's credentials have been authenticated by the server, the server returns an authorization token (commonly called auth token which is a long string made up of characters and numbers) which identify that the user has been authenticated and is valid. Every time, the user sends in his request, the request data will also contain this auth token (either as a cookie or added in to the request itself) which lets the server know that the client is valid. Because of this, the request is authenticated each time but not by using the actual username/password credentials.
Based on requirements, the auth token may be set to expire after a certain period (if there is not activity such as in banking applications).
I'm trying to use mitmproxy to automate logging into a webpage, the main idea is that;
The user requests a webpage
The proxy recieves this request;
If the targeted webpage is NOT an auto-login page; We'll simply send the request through.
Otherwise; We'll send a post request to log into the page, on the users behalf, and return the cookie (with sessionID and such), and the user will be able to browse the page as logged in.
I've been able to get mitmproxy up and running, I can detect the outgoing request, and obviously check whether it matches any url, that is an auto-login one.
I can also log into the page, using pythons http.client module, however I can't figure out how to return the logged in http.client cookies and such to the user, through the proxy script, such that the browser will simply bypass the login screen.
That is, I have a valid HTTP Response object, which is 'logged in' (ie. containing the logged in cookie), and I'm wanting to return this, in my mitmproxy script.
Decided to abandon this idea, and use the java library, 'exproxy' instead.