As i sat at school with my laptop wired into the network with cain and able sniffing everybodys passwords out... i thought to my self... any one could do this... its so simple... of course its no good to sniff ssl passwords out, but that isnt to hard either in a Man in the middle attack like this.

This got me thinking, how could we improve our login systems to not post raw password data? my First idea was to simply md5 sha1 or what ever method u use to encrypt the password with javascript before it is posted YEAH GREAT IDEA but!...... all the attacker has to do is inject the hash back into the website to gain access :(

Hope wasnt lost! supose each user along with there password had a key, they key was random and regenerated each time they logged in or attempted to login. Using javascript and a little ajax we can grab the key, hash it with the password then send it to the server for authenticion! THATS IT! any data ever posted will be completely random and inconsistent and seemingly unbreakable as its hashed like 3times depending on what kind of key u use (i used a sha1 of uniqid()).

1. Page loads!

2. User enters username and password

3. Javascript requests a key for user from server

4. Javascript hashs the password then hashs the hashed password and key together

5. Javascript posts the data

6. posted data looks like this on packet sniffer 832d5a9e459d2c91808b87ce4872ed519446c9cd
or this 8b87ce4872ed519446c9c8b87ce4872ed519446c9c
or this 897asd87ahs8d7tady8as7hd8a6stdy87a8d7ya8s7dy
and will never ever be the same!

7. Server hashs current key and password in DB together and checks for consistancy.

8. Even if it is not consistant the server generates a new key.

Possible flaw might be, its dead easy to get the key for any given user something like key.php?username=username, but it would be completely usesless unless used with the password.

This can work as non ajax you just have to hardwire the key into the script as it loads, but then youd have to know the username 1st or do something with key's that have id's and an id can be sent with the id?

Well there u have it, sooo long script kiddies and you man in the middle packet sniffing attacks :D

I also have a small working example if any one would like to take a look.

you can use this code for login

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Javascript User Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<script language="javascript" type="text/javascript">
//
// Javascript User Login 3.0
// Some Rights Reserved
// http://webdeveloper.50webs.com
//

var userFolder = ""; // Folder where userfile (e.g. PizzaMan127~Cheese.htm) is located (e.g "users/")
var HTMLextention = ".htm"; // Extension of the user-file (usually .htm or .html)
var inProgressMSG = "Attempting login..."; // Message displayed during a login
var userFailMSG = "Invalid username or password"; // Message displayed after failed attempt

// Do not edit
function login(){
var username= document.getElementById('username').value; // location of username
var password= document.getElementById('password').value; // location of password
username= username.toLowerCase(); // convert to lowercase for case-sensitive servers
password= password.toLowerCase(); // convert to lowercase for case-sensitive servers
var fullURL= "";
fullURL= userFolder + username + "~" + password + HTMLextention; // compiled filename the loads user-file
setTimeout("failEvents();", 15000); // after 15 seconds display error message
document.getElementById('errorDisplay').value = inProgressMSG; // show in-progress message
showMSG();
setTimeout("showMSG();", 5000); // hide in-progress message after 5 seconds
verifWin.document.open();
verifWin.document.location.rel="nofollow" href = fullURL; // trys to find user-file
verifWin.document.close();
}
function passEvents(data){ // Events that occur for valid login
var URL = data;
location.rel="nofollow" href=URL;
}
function failEvents(){ // Events that occur for invalid login
document.getElementById('errorDisplay').value = userFailMSG;
showMSG();
}
function showMSG() { // Controls the opening/closing of messages
if ((document.getElementById("isShown_errorConsole").value)=="N") {
document.getElementById("errorConsole").style.display='';
document.getElementById("isShown_errorConsole").value="Y";}
else if ((document.getElementById("isShown_errorConsole").value)=="Y") {
document.getElementById("errorConsole").style.display='none';
document.getElementById("isShown_errorConsole").value="N";}
}
</script>
<table width="250" border="0" cellpadding="1" cellspacing="5" bgcolor="#9FB8FF">
<tr>
<td bgcolor="#9FB8FF" align="center"><b><font size="4" color="#FFFFFF">Authorization Required</font></b></td>
</tr>
<tr>
<td bgcolor="#FFFFFF"><form action="javascript:login();" method="get" name="LoginScript" id="LoginScript">
<table border="0" cellspacing="10" cellpadding="0" width="100%">
<tr>
<td> Username</td>
<td align="right"> <input name="username" id="username" type="text" style="border:1px solid #828177;" value="" /></td>
</tr>
<tr>
<td> Password</td>
<td align="right"> <input name="password" id="password" type="password" style="border:1px solid #828177;" value="" /></td>
</tr>
<tr>
<td><iframe name="verifWin" src="" width="1" height="1" frameborder="0" border="0"></iframe></td>
<td align="right"><input name="submit" type="submit" style="border:1px solid #9FB8FF;color:#FFFFFF;background-color:#9FB8FF;" value="Login" /></td>
</tr>
</table>
</form></td>
</tr>
<tr>
<td bgcolor="#FFFFFF"><input type="hidden" id="isShown_errorConsole" value="Y" />
<span id="errorConsole" style="display:;">
<input type="button" id="errorDisplay" style="width:100%;background-color:#FFFFFF;border:0px;" value="Error: Please enable Javascript" />
</span><script language="javascript" type="text/javascript">showMSG();</script></td>
</tr>
</table>
</body>
</html>