Upload
justin-mancinelli
View
226
Download
0
Embed Size (px)
Citation preview
Checksum != SecurityAn example hacking into bad Javascript authentication
What’s so Bad?
The Enemy
Breaking Bad Closing
Found in the wild: a web app testing environment
function promptUserForPassword(pass) { if (jesChecksum(pass) != 9887) { pass = prompt("Please enter the passkey","");
if (pass == null) { document.location.href = defaultHref; } else { verifyPassword(pass); } } else { successfulLogin(pass); } }
What’s so Bad?
The Enemy
Breaking Bad Closing
function jesChecksum(str) { var primes = [ 2, 3, 5, 7,11, 13,17,19,23,29, 31,37,41,43,47, 53,59,61,67,71, 73,79,83,89,97]; var rtn = 0;
for (i = 0; i < (str.length); i++) { tmp = str.charCodeAt(i) * primes[i]; rtn = rtn + tmp; }
return rtn; }
What’s so Bad?
The Enemy
Breaking Bad Closing
What’s so Bad?
The Enemy
Breaking Bad Closing
A hash function is any function that can be used to map digital data of any size to digital data of a fixed size.
“checksums are often used to verify data integrity, but should not be relied upon to also verify data authenticity"
What’s so Bad?
The Enemy
Breaking Bad Closing
“It is infeasible to find two different messages with the same [cryptographic] hash”
What’s so Bad?
The Enemy
Breaking Bad Closing
It should be feasible to find two different messages with the same checksum.
What’s so Bad?
The Enemy
Breaking Bad Closing
What’s so Bad?
The Enemy
Breaking Bad Closing
jesChecksum(pass) == 9887
Find “pass” such that
function jesChecksum(str) { … for (i = 0; i < (str.length); i++) { tmp = str.charCodeAt(i) * primes[i]; rtn = rtn + tmp; } … }
The simplicity of this algorithm makes it very easy to solve.
What’s so Bad?
The Enemy
Breaking Bad Closing
Thanks to Unicode: Solve 2x + 3y = 9887 over integers
One such solution is “Ŏఁ” Ŏఁ = String.fromCharCode(334, 3073);
What’s so Bad?
The Enemy
Breaking Bad Closing
Using the right tool for the job requires you to understand the tools available
What’s so Bad?
The Enemy
Breaking Bad Closing
Don’t roll your own security either
What’s so Bad?
The Enemy
Breaking Bad Closing
And definitely don’t do security client side in Javascript
What’s so Bad?
The Enemy
Breaking Bad Closing
Thanks
Justin Mancinelli
@piannaf http://piannaf.github.io
https://www.linkedin.com/in/justinmancinelli
Slide 5:http://en.wikipedia.org/wiki/Hash_function
Slide 6:http://en.wikipedia.org/wiki/Checksum
Slide 7:http://en.wikipedia.org/wiki/Cryptographic_hash_function
Slide 8:http://blog.codinghorror.com/checksums-and-hashes/
Slide 13: http://xkcd.com/1286/http://www.explainxkcd.com/wiki/index.php/Encryptic