Passwords stored in plain text & Rainbow Table Attack
Description
When passwords are stored in plaintext, then once a database has been compromised, so have all the user accounts. With hashed passwords, the users aren't as compromised as quickly but once one hash is cracked, all copies of that hash are broken as well.
Located
Database & db.inc.php
HTTP request type
POST
Vunerable parameter / behaviour
Passwords are stored in plain text and without a salt
Payload / actions for reproduction
Gain access to a compromised database
Access user accounts using their plaintext details
Code fix
// On Sign Up (also reset password)
Add a unique salt per user password
Append the salt to the password
Hash the password and salt together
Store the hashed password and plaintext salt in the database
$salt = bin2hex(random_bytes(8)); // Create salt
$hashedPWD = md5($pwd . $salt); // Hash passw with appended salt
# Stored hashed password with salt
$sql = "INSERT INTO `sapusers` (`user_uid`, `user_pwd`, `salt`) VALUES (?, ?, ?)";
$stmt = $conn->prepare($sql);
$stmt->bind_param("sss", $uid, $hashedPWD, $salt);
// On Login (also on reset password when checking auth)
Retrieve the hashed password and the salt
Hashed the users submitted password with the salt
Compare the hashed password with the stored password
Vulnerability
Passwords stored in plain text & Rainbow Table Attack
Description
When passwords are stored in plaintext, then once a database has been compromised, so have all the user accounts. With hashed passwords, the users aren't as compromised as quickly but once one hash is cracked, all copies of that hash are broken as well.
Located
Database & db.inc.php
HTTP request type
POST
Vunerable parameter / behaviour
Passwords are stored in plain text and without a salt
Payload / actions for reproduction
Code fix
// On Sign Up (also reset password)
// On Login (also on reset password when checking auth)