An Adrian Lamo Concern

A good explanation of how web logins work behind the scenes. Answer by Val Choung:

A log in form is not just HTML... HTML is your markup language. (Basically your computer downloads all the HTML it needs and displays it via a fun/friendly app called "the browser.") Here's a nice explanation of site logins: (warning: may be long)

Log in confirmation/authentication is done via backend. Now a really stupid person with no experience might use javascript for a login form, with something like this in the code:

1 2

if(user == "admin" && password=="changeit") //if the username is "admin" and password is "changeit"

          {//do something that makes something appear}

A slightly less stupid person (but still stupid) might do this and allow for multiple users:

1 2 3 4 5

for(i=0;i<usernum;i++){

         if(user== usernum.username && passwod == usernum.password){

            // do something that makes something appear

          }

}

But anybody using javascript might as well be equally stupid for this. Javascript is client side, meaning the code is also downloaded to your computer (and viewable with the browser). Hashing the password might be slightly better, but whoever made that Javascript login auth is still a douchebag. So, for logins, clearly you don't want the user/client to download the code. Solution: don't use client side. The most common language for authentication is PHP/SQL. The server (computer) that the website is hosted on (basically lives in) will have it's own code that will not be shared with anybody (unless your Javascript person comes around and decides to publish the .php page for all the world to see). The server will do all the stuff in the code, and the client will send to the server, what the person thinks the username and password are. The server will confirm it, and send back to the client something like a token of yes/no confirmed. So if a client can't see the code, how does he/she hack it? Well, simple. If you can't see it, you'll probably try to listen to it, feel it, sniff it, etc. The hacker will probably test some inputs and see what the server sends back. A crude hacker will iterate through as many user/pass combo's as she/he can, a method call brute forcing. But that takes forever, and requires quite a bit of power. But with some knowledge of SQL, the hacker can make very smart input tests. The SQL injection is a method that takes advantage of the way SQL works. Basically, the hacker injects/enters code as the username and/or password. With some testing of various code snippets, the hacker can get the code that he/she entered to execute in the server computer. Here's how it works, in English:

SERVER CODE: If <username entered> matches "correct username", and if <password entered> matches "correct password", then do blah blha blah. FORM: Enter username:                     Enter password: HACKER: Enter username: 1=1 or username          Enter password: 1=1 or password

In this English "code," the FORM entries (by HACKER) will replace the <stuff> in SERVER CODE, making: If 1=1 or username matches "correct username", and if 1=1 or password matches correct password, then do blah blha blah. Clearly, 1=1, so the first condition (If <username entered> matches "correct username") is satisfied. For same reason, the second is satisfied as well ( if <password entered> matches "correct password"). Blah blah blah will happen!! The SQL coder will try to prevent this by playing with SQL grammar to make it much much harder. That's the gist of it. Is it easy? Depends on who made the form. You'd better hope it's the Javascript guy. Last note: I assumed it's a user/pass auth only.