All geek questions in one place

How to implement the "Invalid username / password" hint for a web service using the HTTP Auth flag?

I have a client application that interacts with a web service to retrieve account information. There is a requirement that the user be notified if they erroneously provide a username / password. I am modifying a web service to return something to my client, to give a hint to the user about an input error.

How to correctly implement a "username / password" not found for a web service using Python?

  • Tell the user that the username exists but the password is incorrect?
  • Tell the user that there is no such username, but does the password match something?
  • Can’t I show a common username and password combination?
  • Do I use different status codes for different situations or provide an error JSON payload?

here is my code:

from flask.ext.httpauth import HTTPBasicAuth accounts = [ ["user0", "password0"], ["user1", "password1"], ] @app.route('/accountlist') @auth.login_required def accountlist() username = auth.username(); if ... : #check if accounts does not have the given username #notify the sender that there is no such username return Response('Not Authorized', 401, {'WWW-Authenticate': 'Basic'}) else: #proceed to check password and retrieve/return account information
+5
source share
3 answers

You do not indicate what data you serve, but if you are working with financial or medical data: make sure that the user can log into the system, or they cannot, you should not try to provide them with any information on why.

If you want, you can tell them that the username is incorrect, but you cannot offer other usernames. And, of course, you cannot give any information about what might be wrong with the password, just tell them that this is not true.

About the code that you presented, I understand that you did not really ask for coding advice, however, I do a bunch of code reviews and constantly see the same problems with these roll-your-own authentication schemes. If your code is ever verified, the auditor will likely find the following problems:

  • You should never hardcode your passwords.

  • You should never save your password in clear text, always use an irreversible hash (SHA-1 or more) when the password is received and works only with a hash value

  • Your expression should be a "failed close", which means that the accountList () function returns "not authorized" before the if statement and before calling any functions that throw an exception (for example, database access). Do an authentication check in stat. Thus, if something fails in the things that the if statement causes (for example, an exception in data access or file entries), the user cannot log in.

0
source

Can’t I show a common username and password combination?

Yes. Why do you think this is “general”? Because it is a standard. This is the right way because a hacker cannot phish for usernames.

+1
source

Tell the user that the username exists but the password is incorrect?

No, if the user knows that the username is correct, this is an enumeration user vulnerability. You let an attacker know which usernames are valid, allowing them to narrow their target range. This would be useful if they later decided to try brute force attack, because they already know that the usernames are correct and now they only need a working password.

Tell the user that there is no such username, but does the password match something?

Definitely not. This means that the attacker now has a valid password and can use any other username enumeration vulnerability on your site to try to find a valid username. Another common name for enumerating a username is a forgotten form of password - many sites report that there is no such username that allows an attacker to refine his list. Alternatively, they can use this password and brute force from it, which can be much simpler, because usernames should not be complicated.

Aside from this, you should keep your passwords salted and hashed using a secure, slow algorithm like bcrypt . This should mean that you cannot practically check if any password matches the one entered.

Can’t I show a common username and password combination?

Yes!

Do I use different status codes for different situations or provide an error JSON payload?

Your JSON can return true or false so that the calling JavaScript knows if authentication has passed. If you have ever created any protection against brute force, this should be done by introducing a delay in the response, and not to block accounts. Hard lock accounts lead to a DoS attack because an attacker could lock a valid account by reusing the wrong password. For this reason, only a true / false answer is really needed to tell the user if they were successful. Even if the account was blocked, I would return a lie, but included in the message that the user should contact technical support if they believe that they should have access with the password provided.

+1
source

Source: https://habr.com/ru/post/1200128/

More articles:


All Articles