How hackers hack your web login page and how to stop it.

It's not legal to subvert other people's on-line accounts. The reason I am writing this is to inform you of one way how malicious crackers could get into your account. If you are a web designer or have employed someone to design your web site, then read this, do the quick test for vulnerability, then fix the hole. Do not attempt to crack other people's sites. My goal here is to educate the good people. The naughty ones already know this stuff. (Yes - you know who you are...)

The test is simple.

At your login/password entry, just put in a single quote mark and submit. If the web page returns an error because of broken source-code, then your site is probably vulnerable.

Note: More than 16 million Web severs use PHP.

Now I will explain why this could happen.

Quite often, the user name and password field are HTML forms, and behind that, either in the rendered web page or hidden on the server that you connected to, there will be some code. It might be PHP or JAVASCRIPT or similar.

Some languages use single quote marks as delimiters for parameters. A delimiter is like a punctuation mark for code. It separates terms and tokens and words etc. Many delimiters are unary which means that only one is required. Here is an example using a comma as a delimiter:

1,2,3,4,5,6

But quote-marks come in pairs. The first from the left turns a mode ON, and the next one turns it OFF.

Example using single quote marks;

123 456 'fred is tall' 789 'bill' 'ted 99'

If you count the ticks, there are always an even number. The tick marks "toggle" a mode. In the example above, the unary delimiter is a space. The space separates numbers and it's fine to do that because a space is not a number. But you can have spaces in strings like "fred is tall" and "ted 99". The quotes toggle between 'number mode' and 'string mode'

Your log-in code that checks the user name consists of code and parameters. This code could use quotes to toggle between code-execution mode and parameter mode like this:

if ( '$fredpassword' == '$password' ) then allow_access

The stuff that is not quoted is code and the stuff inside the quotes is data.

Here is the code only, each chunk on its own line for clarity:

if (
== 
) then allow_access

and here are the parameters:

'$fredpassword'
'$password' 

The stuff between parentheses is called an expression. This is a mathematical statement. In this case, it's a test for equality. All it is doing is testing whether the password typed in is the same as fred's password.

The web-login form allows the user to enter ANY characters into $password. This is not the best idea because we can enter a character that is used to toggle code-mode. This scrambles the logic (syntax) and the interpreter throws an unexpected error which is usually spat onto the web page.

Here is an example of what the code might be interpreted as if you use a single quote as a password... (Let's assume fred's password is 'badcodeday'

if ( 'badcodeday' == ''' ) then allow_access

Note that there are now an ODD number of quote marks.

Now if we "parse" this into code and parameters, look what happens:

code: if ( 
 == 

That's all the code there is now. So let's look at the parameters:

badcodeday
 ) then allow_access

This is clearly nonsense and it is why the interpreter throws an error.

Since we can type ANY characters in as a proposed password, we can also type code fragments. By being crafty, we can add code that maintains valid syntax and makes the expression evaluate to TRUE. If we can do that, then the modified code lets us in without knowing the password.

Some boolean logic:

A statement is something that can be evaluated to TRUE or FALSE. eg:

1. All birds have have four wings. (FALSE)
2. 0=0 (TRUE)

Now, even though 1. is false, we can combine these and maintain an OVERALL statement of TRUE.

(All birds have four wings) OR (0=0)

This is now a true statement because 0=0. When the interpreter evaluates a statement like this, it is following the Boolean logic truth table for an OR expression. It looks like this:

A B Q
0 0 0
0 1 1
1 0 1
1 1 1

'Q' is the TRUE/FALSE result where 1 represents TRUE. A and B are the results of two evaluated sub-statements. Every case is covered, and you can see that Q becomes 1 when either (or both) A OR B are 1. i.e. you only need to find ONE true statement in a string of OR joined statements to immediately decide the truth of the whole statement.

Knowing this, all we need to do is craft a new syntax and expression by manipulating what is in the password parameter.

Here is the intended code

if ( '$fredpassword' == '$password' ) then allow_access

Let's ignore the content of fredpassword as we don't know it anyway, and craft a new statement that makes it irrelevant.

Type into the password field the following:

' OR '1

This makes the code look like this:

if ( '$fredpassword' == '' OR '1' ) then allow_access

This says, "If $fredpassword equals '' 

(Which read, If fredspassword is nothing... This is FALSE but we don't care.)

OR

if 1

then allow access.

Well of course the expression '1' evaluates to true! That's what 1 means. 

We could also use a sub expression like this

if ( '$fredpassword' == '' OR '0==0' ) then allow_access

It's basically the same idea. zero equals zero which is a true statement.

Or we could try:

if ( '$fredpassword' == '' OR '1>0' ) then allow_access

At least now we don't need to guess that equality is tested using the double = symbol. Most languages try to distinguish between a test for equality as == and an assignment = as in

b=4

where the value 4 is 'assigned' to the variable b. In contrast, 

b==4

is a test to see whether b has the same value as 4.

There are a few ways.

You can install the Suhosin patch for PHP. This will harden against buffer overflows and sloppy programming.

One (outdated) way that might work is to make every character "literal". In unix, linux, perl, PHP, Python any many other languages, to embed a quote mark in a string, or any other special delimiter, you can make it literal by prepending a back slash.

Non-special characters that are "escaped" in this way are still interpreted normally.

Therefore, these two strings are equivalent:

fred == \f\r\e\d

And you would embed a quote mark inside a string like this:

'This \' is a quote mark'

When the parser sees the back slash it does not switch mode no matter what the next character is. The next character is taken as a literal.

Therefore, if you use a function to insert these back-slashes into the entered password field, the interpreter will not get broken by the single quote mark, and the hack is not applicable.

There is something called 'magic quotes' and is supplied by a function called stripslashes(). However, this "solution" is deprecated because of performance problems and incompatibility. It escapes EVERY character. In reality, you only need to escape the quotes.

Instead, you should call

mysql_real_escape_string()

The following characters are affected:

\x00
\n
\r
\
'
"
\x1a

Alternatively and preferably as well, you can apply input-validation on every character typed into the web page.

As a character is entered, it is accepted or rejected depending on your rules. An input field for a date for example could use a mask like this:

dd/mm/yyyy , dd:{checkday()} , mm:{checkmonth} , yyyy:{checkyear}

This is a set of rules for data entry. dd is DAY of month, but since this varies month by month, we check it with a function called checkday and checkmonth. Only digits can be typed. i.e hitting the key H does nothing, neither does & or * or '

In this way, the input is guaranteed to be in good form BEFORE it gets used. You can use this technique on all input fields to define the input data to within expected and previously tested ranges. It's a safe way to program in general.