Is it possible to modify server reply on transit

StackOverflow https://stackoverflow.com/questions/14106271

Domanda

I am building a javascript library that will allow authentication to server using SRP-6 protocol.

I know using javascript as an authentication method is not the best option due to XSS. But proper XSS prevention can eliminate most issues.

My only concern is how easy it is to modify a server reply before the user even receives the request?

Sample Scenario:

User request page: http://serverdomain/home

Server: Replies back with:

<html>
   <head>Home</head>
   <script type="text/javascript" src="auth.js"></script>
   <body>Home</body>
</html>

Before user receives the reply. Can a hacker somehow magically modify the reply to

<html>
   <head>Home</head>
   <script type="text/javascript" src="hacker_auth.js"></script>
   <body>Home</body>
</html>

Is this possible to do? This is one of the vulnerability that I can think of when using javascript to authenticate.

È stato utile?

Soluzione

Badaboooooom nailed it: http://en.wikipedia.org/wiki/Man-in-the-middle_attack You can use https to mitigate the risk, though tools such as http://www.thoughtcrime.org/software/sslstrip/ still make an attack possible if the user doesn't notice the "lock" is gone.

Altri suggerimenti

You can avoid this using a secure protocol like HTTPS, though everything can be hacked some way, some are just more easily broken than others.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top