Closed Bypassing md5 authentication and how to fix (secure coding)

[Ace Valentine]

Hi!

Some of the PHP websites that are "password protected" are using the == to verify if the hard-coded md5 hashed password is matching the user input.
The fact that they use the == sign together with md5 hashes is sometimes can be dangerous and lead to authentication bypass.

Example:

<?php
$password = '0e232097431616219012560978731854'; //md5 form

if (md5($_GET['password'] == $password)
 echo 'welcome!';
else
 echo 'Wrong password!'

Pwede siya mabypass by using this string as a password: 240610708
md5('240610708') = 0e462097431906509019562988736854
This kind of thing is called Magic Hashes. It's not always works, here's why:

IF the hard-coded hash in the website begins with 0e - it can be bypassed with Magic Hashes.
why? because well, PHP is a flexible language.
The problem is in == comparison. 0e means that if the following characters are all digits the whole string gets treated as a float.
Think of "0e…" as being the scientific notation for "0 to the power of some value" and that is always "0".

This is how php interprets it:

if( 0 == 0 ) { echo 'welcome!'; }

More magic hashes:

<?php
var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs')  == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
var_dump('0010e2'         == '1e3');
var_dump('0x1234Ab'       == '1193131');
var_dump('0xABCdef'       == '     0xABCdef');
?>[/COLOR]

How to mitigate this:
Just use === operator

Yun lang po guys, I hope naintindihan niyo. Happy coding! Keep your apps secure..

 

[versalreyatis]

Wowww slamaatt paps. Sana may mag turo sakin mag code huhuhu

 

[moondhie]

Wow i will try this code papz. thanks for sharing.

 

[B U L I L Y A S O]

salamat dito boss.

 

[Impostor Syndrome]

I think walang gumagamit niyan sa mga real / production ready applications lalo na sa mga professionals. Mostly gumagamit kami ng cryptography libraries which is more complete, robust, stable and provides a faster development process for authentication systems. Siguro yung mga beginners or nag-aaral palang ng simpleng web authentication system; and it was stated on PHP manual already regarding about this native methods.

Why are common hashing functions such as You do not have permission to view the full content of this post. Log in or register now. and You do not have permission to view the full content of this post. Log in or register now. unsuitable for passwords?

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.



How should I hash my passwords, if the common hash functions are not suitable?

When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.

PHP 5.5 provides You do not have permission to view the full content of this post. Log in or register now. that safely handles both You do not have permission to view the full content of this post. Log in or register now. and You do not have permission to view the full content of this post. Log in or register now.in a secure manner. There is also You do not have permission to view the full content of this post. Log in or register now. available for PHP 5.3.7 and later.

Another option is the You do not have permission to view the full content of this post. Log in or register now. function, which supports several hashing algorithms in PHP 5.3 and later. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.

The suggested algorithm to use when hashing passwords is Blowfish, which is also the default used by the password hashing API, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable.

Note that if you are using You do not have permission to view the full content of this post. Log in or register now. to verify a password, you will need to take care to prevent timing attacks by using a constant time string comparison. Neither PHP's You do not have permission to view the full content of this post. Log in or register now. nor You do not have permission to view the full content of this post. Log in or register now. perform constant time string comparisons. As You do not have permission to view the full content of this post. Log in or register now. will do this for you, you are strongly encouraged to use the You do not have permission to view the full content of this post. Log in or register now. whenever possible.


Source: h t t p://php.net/manual/en/faq.passwords.php

 

[Ace Valentine]

I think walang gumagamit niyan sa mga real / production ready applications lalo na sa mga professionals. Mostly gumagamit kami ng cryptography libraries which is more complete, robust, stable and provides a faster development process for authentication systems. Siguro yung mga beginners or nag-aaral palang ng simpleng web authentication system; and it was stated on PHP manual already regarding about this native methods.

Why are common hashing functions such as You do not have permission to view the full content of this post. Log in or register now. and You do not have permission to view the full content of this post. Log in or register now. unsuitable for passwords?

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.



How should I hash my passwords, if the common hash functions are not suitable?

When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.

PHP 5.5 provides You do not have permission to view the full content of this post. Log in or register now. that safely handles both You do not have permission to view the full content of this post. Log in or register now. and You do not have permission to view the full content of this post. Log in or register now.in a secure manner. There is also You do not have permission to view the full content of this post. Log in or register now. available for PHP 5.3.7 and later.

Another option is the You do not have permission to view the full content of this post. Log in or register now. function, which supports several hashing algorithms in PHP 5.3 and later. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.

The suggested algorithm to use when hashing passwords is Blowfish, which is also the default used by the password hashing API, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable.

Note that if you are using You do not have permission to view the full content of this post. Log in or register now. to verify a password, you will need to take care to prevent timing attacks by using a constant time string comparison. Neither PHP's You do not have permission to view the full content of this post. Log in or register now. nor You do not have permission to view the full content of this post. Log in or register now. perform constant time string comparisons. As You do not have permission to view the full content of this post. Log in or register now. will do this for you, you are strongly encouraged to use the You do not have permission to view the full content of this post. Log in or register now. whenever possible.


Source: h t t p://php.net/manual/en/faq.passwords.php

Halos lahat ng websites are using frameworks na but marami pa ring websites ang gumagamit nyan in my own experience.. anyway this is for educational purposes only..

 

[Impostor Syndrome]

Halos lahat ng websites are using frameworks na but marami pa ring websites ang gumagamit nyan in my own experience.. anyway this is for educational purposes only..

Oo may mga legacy websites / system na hindi na update pa. Hindi ako sure, kasi hindi rin naman ako php dev at wala ako nahawakan na ganyan ang implementation nila. Thanks ts.

 

[Netflix]

Salamat dito

 

[lfasmpao]

Add lang ako ng info kaya wag malilito sa dalawa hahaha,
=== Identical (with type checking)
== Equal (without type checking)