4

My JS Code(Just example, maybe there is some syntax error)

$(document).on('click','#btnEdit',function(e){ 
    var id = $("#inp_id").val(), ps = $("#inp_ps");     
    $.ajax({
        type: 'POST',
        url: 'http://example.php',
        data: {act:'#LogIn',id:id,ps:ps},
        success: function(response){
            if($.trim(response) === "success"){
                alert("Login Successful");   
            }
            else{
                alert("Invalid ID or Password");
            }
        }
    });
});

Inside the php 

if($_POST[act] == "#LogIn"){
    $userid = Encrypt($_POST[id],$key1);
    $userps = hashPS($_POST[ps],$salt);
    //query...
    if(result > 0){
         $_SESSION['id'] = Encrypt($userid,$key2);
         $_SESSION['token'] = //random code;
    }
}


My question:

Is there any way to make the code secure? Because i think the attackers can just write their own script and send data to the php for getting and id. Or maybe it is just a bad idea using ajax to login and register.

Shadow
  • 6,976
  • 4
  • 39
  • 52
Jee Hong
  • 37
  • 7
  • 2
    You can use captcha to protect your site . – anshuman Aug 14 '18 at 03:46
  • AJAX is no less secure than a form. Hackers can modify form data, too. – Barmar Aug 14 '18 at 03:48
  • 2
    PHP is checking the password, there's nothing attackers can do on the client to get around that. – Barmar Aug 14 '18 at 03:49
  • Maybe you like the use of [JSON Web Tokens](https://coderwall.com/p/8wrxfw/goodbye-php-sessions-hello-json-web-tokens) – Jeroen Heier Aug 14 '18 at 03:51
  • @JeeHong You are worrying that an attacker will write an script to login, aren't you? – anshuman Aug 14 '18 at 03:59
  • 1
    Apart from Captcha, be sure to use HTTPS to avoid the data to be captured in plain text. – Raptor Aug 14 '18 at 04:03
  • @iNullPointer i worry about the attacker trying to "steal" id by writing a script that can generate random id and password (maybe using looping or wat) and send it to the php until return success – Jee Hong Aug 14 '18 at 04:05
  • @Raptor so using https can avoid attacker "steal" id fomr our website? sry for bad english – Jee Hong Aug 14 '18 at 04:06
  • @JeeHong Then `CAPTCHA` is the best solution for you. On client side, user need to enter `CAPTCHA` and on server side you need to verify `CAPTCHA`, that is generated at server and displayed to client when login page is loaded, before quarrying `Username` and `Password`. If `CAPTCHA` is not correct you can display message saying `Incorreect CAPTCHA` and `exit`. – anshuman Aug 14 '18 at 04:09
  • @JeeHong what I mean is, as your HTTP Request & Response are currently unprotected by HTTPS, the contents are in plain text. Basic network packet capture (e.g. using Wireshark) can obtain the response, thus facilitating the bruteforce attack. – Raptor Aug 14 '18 at 04:12
  • Possible duplicate of [The definitive guide to form-based website authentication](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – KaiserKatze Aug 14 '18 at 05:19
  • Attackers can write their own script and send data to php for getting an id anyway, there's nothing inherently less secure when logging in via AJAX . If your backend handles the input responsibly and correctly then it doesn't matter if the front-end sent it via AJAX request or scanned Postits attached to an email message. – apokryfos Aug 14 '18 at 06:19

2 Answers2

3

Check out The definitive guide to form-based website authentication [closed] .

Salting from frontend mainly aims at protecting privacy of your users. While CAPTCHA aims at verifying your user is a real person but a spider and protecting your server from DDOS attack.

To guarantee security you need HTTPS. There are potential risks if you implement login service without HTTPS, such as Man-in-the-Middle-Attack. So I have to provide a backend solution here.

As is mentioned by Raptor, attackers can still test the password via bruteforce. Yes, indeed. Yet if you choose your encryption algorithm correctly, it will take millions of years to crack a single password.

Besides there is one more attack, named Cross-site request forgery. You have to prevent it by simply introducing a csrf_token.

I asked a question(【django-1.11.3/angular-1.6.4】POST AJAX CSRF verification failed) a year ago where you might get some inspiration.

Certbot

Installation

sudo apt install certbot

Configuration

sudo certbot certonly --standalone -d example.com -d www.example.com

Not Certbot

It's sometimes better if you use OAuth and make service providers such as Google or Facebook take the responsibility to take care of login security.

KaiserKatze
  • 1,248
  • 1
  • 16
  • 29
  • 2
    If only HTTPS is used, attackers can still test the password via bruteforce. Incomplete solution. – Raptor Aug 14 '18 at 04:04
  • Yes I know. Besides there was a Heartbleed Bug within SSL which could lead to serious security risks. But it's what I can do about it so far. You are welcome to improve my answer. Meanwhile I want to point it out that attackers can hijack people in real life and interrogate them to get passwords. Thus the definition and scope of security is important. – KaiserKatze Aug 14 '18 at 04:42
2

The best practices for making it secure are as follows.

  1. Implement CSRF token so every request is sent using a CSRF (Cross Site Request Forgery). CSRF insures if the request is valid. You may get further details about CSRF implementation from here

  2. Apply IP check on the server side. Check from which IP the request is coming. You should only accept the requests which are coming from your own server. You can use $_SERVER['REMOTE_ADDR'] for that purpose

  3. Captcha on the client side to protect from BOTS Google recaptcha is best for this. Details are here

If you apply the above you will be secure enough for POST requests.

azizsagi
  • 228
  • 1
  • 12