Chapter 7 Verification and authorization of PHP security

Source: Internet
Author: User

7.1. Violent attacks

A brute-force attack is an attack that does not use any special means to exhaust various possibilities. It is more officially called a brute-force attack-a variety of possible attacks.

For access control, a typical violent attack is that attackers attempt to log on to the system through a large number of attempts. In most cases, the user name is known, but you only need to guess the password.

Although there is no skill in brute-force attacks, Dictionary attacks seem to be skillful. The biggest difference is intelligence in making guesses. Dictionary attacks only list the most likely cases, but do not list all possible situations as they are violent attacks.

Preventing verification attempts or limiting the number of allowed errors is an effective security measure, however, the dilemma lies in how to identify and block attackers without affecting the use of Valid users.

In this case, the determination of consistency can help you distinguish the two. This method is similar to the method described in chapter 4 to prevent session hijacking, but the difference is that you need to determine whether an attacker is not a legal user.

Consider the following HTML form:

Code:

 

<Form action = "http://example.org/login.php" method = "Post">

<P> Username: <input type = "text" name = "username"/> </P>

<P> password: <input type = "password" name = "password"/> </P>

<P> <input type = "Submit"/> </P>

</Form>

Attackers can view this form and create a script to post valid data to http://example.org/login.php:

Code:

 

<? PHP

 

$ Username = 'victim ';

$ Password = 'Guess ';

 

$ Content = "username = $ username & Password = $ password ";

$ Content_length = strlen ($ content );

 

$ Http_request = '';

$ Http_response = '';

 

$ Http_request. = "post/login. php HTTP/1.1 \ r \ n ";

$ Http_request. = "Host: example.org \ r \ n ";

$ Http_request. = "Content-Type: Application/X-WWW-form-urlencoded \ r \ n ";

$ Http_request. = "Content-Length: $ content_length \ r \ n ";

$ Http_request. = "connection: Close \ r \ n ";

$ Http_request. = "\ r \ n ";

$ Http_request. = $ content;

 

If ($ handle = fsockopen ('example. org ', 80 ))

{

Fputs ($ handle, $ http_request );

 

While (! Feof ($ handle ))

{

$ Http_response. = fgets ($ handle, 1024 );

}

 

Fclose ($ handle );

 

/* Check response */

}

Else

{

/* Error */

}

 

?>

With this script, attackers can simply add a loop to try different passwords and check the $ http_response variable after each attempt. Once the $ http_response variable changes, you can guess the correct password.

You can use many security measures to prevent such attacks. We have noticed that in a brute-force attack, each HTTP request has different passwords and the other parts are identical, which is very valuable.

Although temporary account freezing after a certain number of failed attempts is an effective precaution, you may consider using a more definite method to freeze accounts, in this way, attackers can minimize the impact on the normal use of your applications by legal users.

Some other procedures can also increase the difficulty of brute-force attacks, making it unlikely to succeed. A simple containment mechanism can effectively achieve this:

Code:

 

<? PHP

 

/* Mysql_connect ()*/

/* Mysql_select_db ()*/

 

$ Clean = array ();

$ Mysql = array ();

 

$ Now = Time ();

$ Max = $ now-15;

 

$ Salt = 'shiflett ';

 

If (ctype_alnum ($ _ post ['username'])

{

$ Clean ['username'] =_ _ post ['username'];

}

Else

{

/*...*/

}

$ Clean ['Password'] = MD5 ($ salt. MD5 ($ _ post ['Password']. $ salt ));

$ Mysql ['username'] = mysql_real_escape_string ($ clean ['username']);

 

$ SQL = "select last_failure, password

From Users

Where username = '{$ mysql ['username']}' ";

 

If ($ result = mysql_query ($ SQL ))

{

If (mysql_num_rows ($ result ))

{

$ Record = mysql_fetch_assoc ($ result );

 

If ($ record ['last _ failed']> $ max)

{

/* Less than 15 seconds since last failure */

}

Elseif ($ record ['Password'] = $ clean ['Password'])

{

/* Successful login */

}

Else

{

/* Failed login */

 

$ SQL = "Update users

Set last_failure = '$ right'

Where username = '{$ mysql ['username']}' ";

 

Mysql_query ($ SQL );

}

}

Else

{

/* Invalid username */

}

}

Else

{

/* Error */

}

 

?>

The previous session limits the frequency of trying the same user after the last verification failed. If you try again within 15 seconds after an attempt fails, the verification will fail no matter whether the password is correct or not. This is the key point of this solution. However, it is not enough to block access within 15 seconds after a failed attempt. At this time, no matter what the input is, the output will be the same. It will be different only after the login is successful. Otherwise, the attacker simply checks the inconsistent output to determine whether the logon is successful.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.