How safe is it to send a plain text password using AJAX?

views:

1106

answers:

+3 Q:

How safe is it to send a plain text password using AJAX?

Maybe the title is badly phrased but couldn't think of a better way of saying it.

I am working on a login system at the moment (nothing formal, just experimenting) and was planning on using PHPLiveX (an AJAX library) for some features. Basically you create some PHP functions which are then called via JavaScript. You can add parameters (getElementById) to the javascript that are transfered to the PHP function.

What i really wanted to know is whether it is safe to just call the function from javascript without encrypting the password first, then letting the PHP function encrypt it (SHA256 in this case). Can the data transfered via AJAX be intercepted? If so how likely is this?

Thanks

+1 A:

AJAX calls are just plain HTTP request.

It behaves like ordinary HTTP request and also comes with all the advantage and disadvantage of it. It is not any safer.

To make your AJAX calls safe, there are several ways you can try:

Use SSL. SSL will encrypt messages between your user and your server. The disadvantage of SSL is that you will have to pay additional fee for valid SSL certificates. Invalid SSL certificates while usable, does not provide the same level of guarantee of security to the users.
Encrypt requests before being sent, client-side. E.g.: hash users' password before being sent over the network. Most of the time, you don't need users' plain text password anyway. This is not usable when users don't allow client side scripting to run.
And apart from common misleading information where POST is safer than GET, it is not. Both are equally open for attackers to see.

Adrian Godong 2009-07-17 19:09:42

-1: Misleading answer. AJAX does the same request as a plain old form.

Andrew Moore 2009-07-17 19:13:11

And which part of my answer that says "AJAX does NOT do the same request as a plain old form"?

Adrian Godong 2009-07-17 19:15:02

@Adrian: Actually, it's the missing information that makes someone who doesn't have that knowledge to assume it is somehow different.

Andrew Moore 2009-07-17 19:19:52

He said "misleading", not "blatantly incorrect". And I agree with him, although I am not going to -1 you for it. I'll just comment instead.

Josh Stodola 2009-07-17 19:24:38

@Josh: Thanks. Improved my answer.

Adrian Godong 2009-07-17 19:33:34

@Adrian - your #2 doesn't work because anyone that can sniff the traffic will see the hashed password and could easily replay it. The only benefit to hashing is that (if it's properly salted) it will make it very difficult to get pre-hashed password

John Rasch 2009-07-17 20:09:56

@Josh Yep, it is prone to replay attack. Put one time token in.

Adrian Godong 2009-07-17 20:39:57

+30 A:

No more-or-less safe than a normal HTTP POST request issued by a browser (as in from a <form>)

The "fix" for this is the same "fix" for non-AJAX requests - use SSL.

Peter Bailey 2009-07-17 19:11:05

Good answer, thankyou. So there are no security holes solely relating to AJAX?

2009-07-17 19:12:20

Damn, I'm 5 seconds to late.

Andrew Moore 2009-07-17 19:12:34

Or challenge response, see my answer.

Spencer Ruport 2009-07-17 19:31:24

@briggins5 Like Peter says, AJAX is simply HTTP POST requests that happen out of turn, or 'asynchronously'. So, in a manner of speaking, you are correct. But, since AJAX is asynchronous, state changes in the client's browser are harder to understand, so its easier to mess up security.

Jeremy Powell 2009-07-17 19:59:20

+5 A:

Whether you are sending the password via AJAX or via a normal form, it is still sent via a HTTP POST (hopefully) request. So you are not adding or removing anything security wise.

The only way to prevent someone from intercepting your password is by using SSL (via AJAX or not).

Andrew Moore 2009-07-17 19:11:16

The plain text password transmitted via AJAX will be as secure as the same password transmitted via a normal HTTP post. That is to say AJAX uses HTTP and can therefore be intercepted and sniffed. Your best bet is to use HTTPS (SSL).

For further reading on AJAX and security I'd recommend the following readings

ahsteele 2009-07-17 19:11:38

+1 A:

This is just as safe as having a login form that is not SSL secured be sent over the wire, like almost all forums out there do!

X-Istence 2009-07-17 19:11:43

It isn't safe. Don't send unencrypted passwords. It's very likely that they will be intercepted at some point you will have a major problem.

Here is a video example of capturing a telnet password. Telnet sends in plain text and this nicely illustrates the major problem you have if you even think of doing this. Any two bit script kiddie can snag a plain text password faster than you can so "Oh my God, where did my database go?"

docgnome 2009-07-17 19:12:14

Care to provide any facts that back your opinion?

Josh Stodola 2009-07-17 19:20:55

+1 A:

Make sure the target of your AJAX call is a trusted HTTPS:// page and you've made it every bit as secure as any of the other sends of the same information that the rest of your application is doing. Most libraries / frameworks don't limit you to just HTTP:// for your AJAX calls.

2009-07-17 19:12:25

You are sending it in the clear, so anyone with sniffing/listening/etc the client's network will be able to easily see the password. The AJAX call is just a plain old HTTP message. If you want to see this in action, fire up a copy of wireshark and make the request your self. You will be able to see the password in the HTTP packet.

nstehr 2009-07-17 19:12:45

+1 A:

Yes it can be read. Just like everything else without some kind of layer of security (See SSL)

To see it yourself run a tool like WireShark as you do your AJAX commands.

How likely? Not very, but the user's password will probably be saved in someone's log files in plain text. If someone eventually found it, then it could be bad news. Back in college, my networking class had access to some (semi) fancy routers. We had assignments where we signed up for accounts on random websites. As we did this, we noticed some very scary things on the log files in the routers. This was an eye opener for me to think about how every communication is tracked and most likely logged somewhere.

Jeremiah 2009-07-17 19:13:00

+13 A:

As others have mentioned it's no more safe than sending an HTTP post from a form. (In fact, it's the very same thing.)

But if HTTPs isn't an option you can always use a challenge/response scheme over an unencrypted connection.

Basically it works like this:

Server has a SHA (or whatever hashing algorithm you prefer) hash of the user's password.
Client has the password. Client requests (using unencrypted AJAX) the server send a challenge (Some random string of bytes. Characters are fine.)
Server creates a challenge and a challenge id and saves it with an expiration.
Client recieves a challenge and a challenge id.
Client hashes the password using SHA.
Client hashes the resulting hash with the challenge appended in some way.
Client sends the challenge id (Not the challenge itself) and the second resulting hash.
Server looks up challenge using ID if it exists and hasn't expired.
Server appends the challenge to the stored password hash and creates a hash using the same scheme as the client.
Server compares it's hash with the client if it's the same the user is authenticated.

It's actually pretty simple to set up once you get the idea. Wikipedia has some additional information on it.

Spencer Ruport 2009-07-17 19:22:15

+1: I love this tactic.

Jeremiah 2009-07-17 19:25:53

Sounds like a good method. I would like some peoples opinions of how secure this is when compared to traditional authentication (just compraing username and password)?

2009-07-17 19:39:18

How secure it is compared to just sending both the username and password as plain text? Well if you attach the value of 0 to that method, and my approach is some n > 0 (say .0005 even, for the sake of argument) my method is >1,000,000,000,000,000 times more secure.

Spencer Ruport 2009-07-17 19:41:58

I asked this same question a long time ago. Here is another link describing it (with some extra quirks): http://www.gamedev.net/community/forums/viewreply.asp?ID=3353014

ryeguy 2009-07-17 19:41:59

It is much easier to break this than it is to break SSL. If you aren't salting the password, you can probably crack it in a matter of minutes with some downloaded rainbow tables. If you are salting the password, the attacker can still capture the hashed password and attempt to guess it -- SHA1 is very fast, modern computers can try millions of passwords a second. (Don't reinvent SSL!)

jrockway 2009-07-17 23:35:07

@jrockway: First, this isn't reinventing SSL. Challenge/Response is only good for determining when two parties know the same information. Second, Salts aren't secret and an acceptable salting method for defense against rainbow tables is: hash = SHA (SHA (password) . salt). In this set up, the salt is the challenge and it's purpose becomes two fold hash = SHA (SHA (password) . challenge). Third, I was using SHA1 as an example. There are much larger schemes available if you need additional safety.

Spencer Ruport 2009-07-18 00:01:26

As already mentioned, SSL is the best solution here. However, you could hash the password on the client side. If you google for it, you'll find plenty of javascript implementations of md5.

troelskn 2009-07-17 20:33:13

damn you guys worry me. SSL does not protect against the arp poisoning MITM attack. It would be fatal to worship SSL as you guys are. You must have a way to encrypt the password on the client side before it makes even one hop or else even a novice hacker will be able to intercept the password in plaintext

someguywhocares 2010-07-20 07:56:11

ansaurus

tags:

views:

answers:

How safe is it to send a plain text password using AJAX?

related questions