2

I have a run of the mill externally hosted website (linux platofmr) with mysql, php technologies installed. I require my C# application to collect data from the website.

I have a MYSQL database on my website and I want to send my username and password in order to access some sensitive data (using a PHP script)

My current design looks something like this:

C# application POSTs to a login.php script on the website.

e.g mywebsite.com/login.php?username=admin?password=MD5HashedPassword

The script generates a blank page with "OK" if the username and password matches that in the database.

Now I think that's probably secure for just logging in, but if I want the login script to generate XML data which would contain sensitive information, I don't believe it's a secure way of doing it. Am I correct in thinking this?

So what direction should I go. Should I have some kind of PHP Session between my application and the website. Is that a straightforward thing to do? Should I drop the use of PHP all together and use a different technology?

Any opinions and suggestions are greatly welcomed.

Many Thanks

Prof
  • 2,385
  • 2
  • 25
  • 47
  • 1
    The username/password covers the authentication issue. Something like SSL would cover the data-in-the-clear issue during transmission (by using HTTPS instead of HTTP). – Joe Mar 23 '13 at 14:16
  • Maybe http://stackoverflow.com/q/549/1741542 and [OWASP](http://www.owasp.org) helps. – Olaf Dietsche Mar 23 '13 at 14:17
  • consider adding an SSL cert to your website and make the call over https. that would encrypt the data on the wire. thats one possible easy solution. – Luke Baughan Mar 23 '13 at 14:18
  • Okay, I thought HTTPS might be the answer. I can get a free certificate (not signed). But how do I go about setting this all up. How easy is it? Do I need to worry about sessions and code for this? – Prof Mar 23 '13 at 15:05

2 Answers2

3

This should be just fine, provided the following conditions about your transaction are true:

  1. The POST request to the PHP page happens from the C# server to the PHP server, and the user's browser does not perform the POST. If the user's browser performs the POST to the PHP server then an attacker can simply intercept the request with a proxy like Burp Suite and extract the hashed password, then make additional requests of a malicious nature.

  2. The username/password is passed as POST parameters and not GET parameters in a query string. You used this example: e.g mywebsite.com/login.php?username=admin?password=MD5HashedPassword which looks to me like a GET request using query string. This is not safe.

  3. The POST request only goes over HTTPS/SSL and not regular HTTP. This will ensure that the communication is encrypted from TCP downward.

Freedom_Ben
  • 9,386
  • 9
  • 58
  • 83
  • Thank you Ben. Can I clarify a few things. I thought that a POST method inside normal forms on a webpage do the same thing as mywebsite.com/login.php?username=admin?password=MD5HashedPassword Am I mistaken? So POST always uses https? So does this mean the page generated by the server will also be over a connection oriented SSL link? – Prof Mar 23 '13 at 23:27
  • @Prof POST does not necessarily use https, though it can. a POST request can go over http or https/SSL. The difference is that a POST request includes the key/value pairs in the body of the request instead of the [query string](https://en.wikipedia.org/wiki/Query_string). [This page has some good examples of what raw POST requests and responses look like](http://www.opencalais.com/HTTPexamples). – Freedom_Ben Mar 23 '13 at 23:34
  • Thank you again. I was wrong about POST. So, I should use something like HttpWebRequest or WebClient classes and POST to a URL contains https rather than http. So the response data will be over a SSL connection, and thus be secure? Can I ask, is this what most desktop applications do for authentication? Take for example Valve's Steam service, does it use something similar or would they use there own special socket component to interface with there authentication servers – Prof Mar 24 '13 at 00:33
  • Before I mark this as the answer can I make one final clarification. I have setup a self signed SSL certificate for testing (using opensll with apache). In my C# application, I use a HTTPWebRequest object to make a POST request to the https:// URL of my php script. The PHP script generates XML data which I parse. Can I confirm that the generated XML data is secure against man-in-the-middle attacks? Have I actually created a secure SSL connection, because it seemed a little easy!? – Prof Mar 25 '13 at 12:51
  • @prof To verify that the data is encrypted I usually use [Wireshark](https://www.wireshark.org/). If the SSL is working corrctly you shouldn't even see HTTP data because it will all be encrypted inside the packet. Testing for MITM attacks is much more difficult. Since you have a self-signed certificate, your users will be vulnerable. To protect against MITM (which is very important so I'm glad you're concerned about it), you either need a cert from a trusted third party ([Verisign](https://www.verisign.com/) is popular), or the user will need to install your root cert as trusted. – Freedom_Ben Mar 25 '13 at 15:26
  • @prof Continued-- The best way to do it is with third party certificate authority like [Verisign](https://www.verisign.com/) or [Comodo](http://ssl.comodo.com/). Having users trust your self-signed cert is difficult and intrusive. I wouldn't expect people to do it, especially since industry standard is third party. To verify that it is working, I like to set up [Burp Suite](http://portswigger.net/burp/) as a proxy. The browser should alert you that the certificiate is invalid and that a MITM attack may be underway. This will prove that your certificate verification is working properly. – Freedom_Ben Mar 25 '13 at 15:29
  • @Ben - Thanks for the reply. So I plan to purchase a certificate once the project is off the ground. However, if I self sign a certificate I'm still performing asymmetric encryption, so I the data is just as secure down the wire as it is purchasing one from Verisign is it not? I've got wireshark, however it is spewing out a ridiculus amount of data. I try running my application, and make a connection, but I don't know where in the capture window of wireshark my packet is. Any hints here? Thanks for your help – Prof Mar 25 '13 at 16:43
  • @Prof, yes your self signed certificate should provide complete encryption. I recommend using a filter expression in Wireshark to narrow things down and cut the clutter. Something like `(ip.addr == 192.168.1.100) && (tcp.port == 443)` This will help isolate only the packets that you care about. You can also right click a TCP packet and select "follow conversation." This will show you all packets related to that transaction. – Freedom_Ben Mar 25 '13 at 17:19
-1

SSL is the standard way of protecting data on the wire. If you have a cert just load it into your web server (process varies between servers) and make sure your program specifies https as the protocol.

You authentication system looks... non-standard. You typically can't use your platform's forms authentication if you are going to be using programmatic http requests. But rather than roll your own, you should prefer basic or digest authentication. In that case, the credentials will be passed in a header rather than explicitly as a part of a query string. Since you are using SSL, basic authentication is safe.

bmm6o
  • 5,719
  • 3
  • 26
  • 51