Question
I have a friend who has a website with login form.. I found out that it uses json and ajax to login...
I've checked chrome console and found out that the user and password are visible in the url when you submit the form(via ajax)...
it's something like this...
https://stackoverflow.com/questions/19357949
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianhttps://somesite.com/Login/LoginAct.asp?callback=jsonp1381741574696&_=1381741716152&user_id=reigel&user_pw=butterfly143&returnUrl=https%3A//somesite.com/Login/Login.asp
and will return jsonp1381741574696({'Result': '1'}) if success and jsonp1381741574696({'Result': '-100'}) if failed login...
now my question is, I'm just kinda curious, isn't this vulnerable to some brute force attack?
I want to point this out to my friend, but I'm not so sure if I'm right or wrong...
Please enlighten me...
Solution
Yes, it is vulnerable to brute force, as "hacker" can send requests to your system with different passwords, another problem - URL in such way can be very easily compromised by intermediate systems, you need to change it to POST method
anyway, POST also will not help against brute force, you need some kind of server-side protection
OTHER TIPS
Anything is possible so you better make sure as much as possible. Why you do not do a POST request? Since GET request is visible.
That's definitely something you want to draw your friend's attention. The login form is not correctly handled. I was curious about your friend's implementation. Maybe there is a reason he chose to use get over post?
convert the password before in the MD5 algorithm. view : http://code.google.com/p/crypto-js/
I would say yes if and only if you can send the url as much as you want.
An attacker could just keep changing the pw in the url and keep trying till he gets the successful result if after (i would say 3 times) an other message is displayed saying there were to many bad attempts and you need to wait an x number of minutes before trying again a brute-force attack would not be profitable.
first i would like to know why he tries it with a Get command instead of a post command but if a get command is somehow necessary (can't see why it would be) he should really pay attention to the following (actually he should stop what ever he is doing and make sure it is done the proper way):
there's 2 things i would recommend your friend to do if he insists on keeping the method he is using now:
the first, a passwords needs to be hashed and salted, so from the moment the 'enter button' is pressed the text in the password box needs to be encrypted so it does not show as plain text in the URL. if you want more information about securely storing and using passwords i would suggest you read the following article: Best way to store password in database
the 2nd thing is he could test him self just get a URL and submit it, then change it and submit it again, if you can do this over and over again a bruteforce attack is an easy way to break this security however, if after a few tries (normally i'd say 3 times) you get a different result as: jsonp1381741574696({'Result': '-100'}) for example a result stating you have tried to many times i would say it is safe.
