locked
Password between server and client should not be in clear text#region Checking the password Byte[] password = new Byte[16]; MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider(); byte[] h RRS feed

  • Question

  • User1052662409 posted

    Hi all,

    I am using Md5 technique.

    below is my code for that

    Byte[] password = new Byte[16];
    
    
                    MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider();
                    byte[] hashedDataBytes;
                    UTF8Encoding encoder = new UTF8Encoding();
                    hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(txtPassword.Text));
    
                    #endregion
    
                    SqlCommand com11 = new SqlCommand("For_Login1", con);
                    com11.CommandType = CommandType.StoredProcedure;
                    com11.Parameters.AddWithValue("@User_Id", ddl.SelectedItem.Text);
                    com11.Parameters.AddWithValue("@Password", hashedDataBytes);
                    SqlDataAdapter sda = new SqlDataAdapter(com11);
                    DataTable dtcheck = new DataTable();
                    sda.Fill(dtcheck);
                    if (dtcheck.Rows.Count > 0)
                    {
    
                       
    
                        // Session["uid"] = txtUserId.Text;
                        Session["uid"] = dtcheck.Rows[0]["User_Id"].ToString();
                        Session["uname"] = dtcheck.Rows[0]["User_Id"].ToString();
                        Session["viewgroup"] = dtcheck.Rows[0]["ViewGroup"].ToString();
                        Session["SFTI_Id"] = dtcheck.Rows[0]["SFTI_Id"].ToString();
                        Session["spmu_id"] = dtcheck.Rows[0]["State_Id"].ToString();
                    }

    how can i avoid this vulnerability? so that any one cant see this password in clear text. i mean any tester.

    please tell me how to avoid this. If this way won't work, could you please suggest another way to achieve Md5 technique.

    Thanks
     

     

    Wednesday, August 20, 2014 12:08 PM

Answers

  • User753101303 posted

    If using SSL the password doesn't go over the wire as clear text. Using Fiddler locally doesn't change that (and requires access to the local PC to decode this, anyway if you have access to the local PC the password is typed in clear text unless you create some kind of virtual keyboard etc). It wouldn't work from a third party PC.

    Sor for THIS requirement, SSL is correct. You could also try https://www.ssllabs.com/ssltest/ to see if your SSL configuration is correct (for example it could potentially allow the use of a weaker encryption on old servers).

    See rather http://www.microsoft.com/en-us/download/details.aspx?id=4865 to see what goes on the network itself.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, August 21, 2014 8:28 AM

All replies

  • User-760709272 posted

    Use https.

    Wednesday, August 20, 2014 12:20 PM
  • User1052662409 posted
    How to use it in my server?
    Wednesday, August 20, 2014 8:41 PM
  • User753101303 posted

    Hi,

    Unclear. Which vulnerability ? You are showing some code than and then tell a test could see a clear text password. Which one ? The one he entered ?

    Usually:
    - the web site uses https so that the passsword is encrypted between the web browser and the server (you can start giving it a try at http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx)
    - then it is stored hashed in the db (this is already done by ASP.NET user management out of the box providers that you could reuse rather than to invent your own)

    Wednesday, August 20, 2014 8:55 PM
  • User1052662409 posted

    Unclear. Which vulnerability ? You are showing some code than and then tell a test could see a clear text password. Which one ? The one he entered ?

    Actually the security auditing process of my web application is being done by an auditor. before that they said to me that use Md5 technique for password security.

    Then I used this technique, i store password in db using this method, i retrieve password from db using this methods. After implementing this methods i hosted my application and give the link to my auditor for security audit. but they replied after testing

    "Password between server and client is being passed in clear text. Kindly ensure that it is fixed throughout the application"

    How to fix it?

    Wednesday, August 20, 2014 10:09 PM
  • User-760709272 posted

    How to use it in my server?

    http://support.microsoft.com/kb/324069

    For testing and development you can use a certificate generated by iis (google "iis self-certificate") but for your production site you'll need to buy a proper cert from a registered authority (google "buying ssl certificate").  To pre-empt your next questions, no you can't get one for free and you can't use the self-cert on a live site (they will give security warnings to the user which you will just ignore in dev and testing, but a live user wouldn't).

    For your login pages make sure the url to them begins https and if they are accessed via http you can do a redirect to the same url with https.  If you google for using https with asp.net you'll find lots of articles, it's too in-depth to cover in a forum post.

    Thursday, August 21, 2014 3:33 AM
  • User1052662409 posted

    Ok Sir fine, I implemented SSL on my application.

    below is my code through which i am getting login.

                    MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider();
                    byte[] hashedDataBytes;
                    UTF8Encoding encoder = new UTF8Encoding();
                    hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(txtPassword.Text));
    
                    #endregion
    
                    SqlCommand com11 = new SqlCommand("For_Login", con);
                    com11.CommandType = CommandType.StoredProcedure;
                    com11.Parameters.AddWithValue("@User_Id", ddl.SelectedItem.Text);
                    com11.Parameters.AddWithValue("@Password", hashedDataBytes);
                    SqlDataAdapter sda = new SqlDataAdapter(com11);
                    DataTable dtcheck = new DataTable();
                    sda.Fill(dtcheck);
                    if (dtcheck.Rows.Count > 0)
                    {
    
                      // logged in
                    }

    but when I run the application on server n start fiddler, it shows password in clear text

    see the image below

    why this is happening? what to do?

    Thursday, August 21, 2014 5:39 AM
  • User-760709272 posted

    Did you tell fiddler to decode the https traffic?  Fiddler *can* do that if you tell it, but only because it is acting as a proxy on your local machine.  If you don't tell it to decode the https then what you see is what everyone else will.

    Thursday, August 21, 2014 6:25 AM
  • User1052662409 posted

    AidyF

    Did you tell fiddler to decode the https traffic?  Fiddler *can* do that if you tell it, but only because it is acting as a proxy on your local machine.  If you don't tell it to decode the https then what you see is what everyone else will.

    Ok fine Sir,

    Now see my situation. My Web application's security audit is being done. I implemented everything like MD5, SSL etc.

    But if my auditor use this fiddler (or may be another tool for testing, i don't know what they are using) and he/she can see the password in the fiddler what should I do/say? I am not getting the point.

    If they always use fiddler or any other tool they can easily see the password. then what's the solution so that password between server and client should not be in clear text.

    Is there any other methods doing this so that they cant see the password using any tool? or any other client side technique?

    please suggest AidyF Sir... I am feeling helpless

    Thursday, August 21, 2014 6:36 AM
  • User-760709272 posted

    They won't be using fiddler as what fiddler does would be almost impossible to defend against.  Auditors are checking for "man in the middle" attacks where a malicious person is sniffing traffic between two systems, as that is what https protects against.  What fiddler does is set itself up as a proxy and all web traffic goes through it.  If a hacker manages to infiltrate your server, set up a proxy on that machine to direct traffic through, then https isn't going to help you, but that's not what it is intended to protected against.

    Thursday, August 21, 2014 6:48 AM
  • User953931160 posted

    Hi Demoninside9,

    your txtpassword text box is holding the password entered in the text box so please try to call a javascript at the login button click which will encript the value of the password and store it in a hidden field and empty your password text box from the java script and where ever you want to verify the password in server side take it from the hidden field and decript it and use it.

    i dont know whether you tried this if not please check it else ignore.

    Regards,

    Santosh Kumar Dash

    Thursday, August 21, 2014 8:02 AM
  • User-760709272 posted

    Hi Demoninside9,

    your txtpassword text box is holding the password entered in the text box so please try to call a javascript at the login button click which will encript the value of the password and store it in a hidden field and empty your password text box from the java script and where ever you want to verify the password in server side take it from the hidden field and decript it and use it.

    i dont know whether you tried this if not please check it else ignore.

    Regards,

    Santosh Kumar Dash

    That will still flag as a password being sent over plain text.  It's also not secure as if I manage to sniff your data I just need to go to your site and view the source to see how the data is encrypted.

    Thursday, August 21, 2014 8:12 AM
  • User953931160 posted

    Hi Aidyf,

    It is like you can see the encripted value not how it is encripted. that part you can do in a .js class by using our own prefix and suffix or a key attaching to the password .

    And then while retrieving decript remove prefix and suffix or the key.

    Regards,

    Santosh Kumar Dash

    Thursday, August 21, 2014 8:28 AM
  • User753101303 posted

    If using SSL the password doesn't go over the wire as clear text. Using Fiddler locally doesn't change that (and requires access to the local PC to decode this, anyway if you have access to the local PC the password is typed in clear text unless you create some kind of virtual keyboard etc). It wouldn't work from a third party PC.

    Sor for THIS requirement, SSL is correct. You could also try https://www.ssllabs.com/ssltest/ to see if your SSL configuration is correct (for example it could potentially allow the use of a weaker encryption on old servers).

    See rather http://www.microsoft.com/en-us/download/details.aspx?id=4865 to see what goes on the network itself.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, August 21, 2014 8:28 AM