So I’m a nerd for security, and I do like overkill, but there are some simple things that could be done to improve the security described in the ‘Weak Passwords’ section on page 2.

First off, don’t use MD5. It’s broken , or at least it would be better (and very little effort) to use SHA-1.

Second, if you’re storing the hash (MD5, SHA-1, SHA-256, whatever) of a user’s password, well, don’t just hash the password, but hash the username too. PHP’s Crypt() function is for this kind of thing, with a ’salt’. E.g.
Function EncryptPassword( $username, $password ) {
$salt = substr($username,0,2);
return crypt($password, $salt);
}
What would this mean? Well, an attacker trying the dictionary attack described would need not 1, but 3844 dictionaries, assuming usernames are alphanumeric and case sensitive.

Hell, why not use the username too as what you’re hashing? I’ve not seen this done anywhere - and I’m not sure of it’s security (I say that in the most paranoid sense) - but principle is the same. By appending the username to the password being hashed, well, you’d need a seperate dictionary for each username. You could even throw in a constant string - it doesn’t add much security, but it means your code would have to be compromised in order to allow precomputation of a dictionary for a user.
Function MakeHash( $username, $password ){
return sha1( $username . "some arbitrary string" . $password);
}
A final thought - don’t underestimate passphrases rather than passwords. They’re easier for people to remember than passwords. Consider ‘r5GG8%’ and ‘elephants lollop gracefully’. Which would you remember? Robert Hessig of Microsoft PSS has a good article. And all of the above techniques would work with a passphrase instead of password - after all, they’re all just text…

Comments from my old blog:

DES was broken many years ago, so that’s a very poor alternative to MD5.

By Chris at 16:18:01 Saturday 30th July 2005

Puzzled by the DES comment - DES isn’t a good algorithm for encryption, certainly - it’s bust, and we have AES now. Also, DES is a block encryption cipher, whereas MD5 is a hashing algorithm. Different things.

By Andy at 21:50:29 Saturday 19th November 2005

I believe the DES comment is because your EncryptPassword function passes crypt a two character salt, which makes crypt use the ’standard DES-based encryption’.

By Deebster at 16:41:44 Wednesday 29th March 2006

Ah, well I’ll be damned. I hadn’t realised that Crypt could use DES. Come to that, I’m not sure why I’m using a Crypt function for what should be hashing. Brain fade, I guess. I suppose that replacing DES with Blowfish would give a function that encrypted the password in a recoverable way, although I’m not a fan of that.

By Andy at 12:28:55 Saturday 6th May 2006

How it works
When the page loads, the JavaScript in checkbox.js checks all of the INPUT tags on the page. If they are a checkbox, and have BOTH and imgOn and an imgOff, then the INPUT tag has its style set to hidden, and the appropriate images are added to the DOM. They’re floating, though, and so are positioned where the checkbox was on the page.

When you click on one, it changes the state of the underlying checkbox (it’s still there, just hidden), and displays the image appropriate for that state.

When the form is submitted, the checkbox is submitted as normal.

As a user leaves the page, on unload the code in checkbox.js tries to tidy up after itself, although I’m a little concerned about memory leaks after some interesting articles I read recently.

Known Issues

• These controls are not part of the tabindex. My friend Bruce Sandeman has been working on a version of this where the images are ‘tabable’, but is struggling to turn the border of the images off. I’ve included the code anyway - see checkbox2.js. I’ve not reviewed it yet, so user beware!
• It’d be nice to hand all events on to the original checkbox for handling.
• At the least, some sort of mouseover/mouseout? It’s not so obvious that these are checkboxes, at least with the demo images I’ve chosen.
• I’m a little concerned about memory leaks given some things I’ve read recently and my use of closures. If anyone knows how to prove/prevent any leaks, let me know, that would be cool

How to Use

Real tricky this - include the checkbox.js file in your HTML page.
<script src="checkbox.js"></script>
Then, in the HTML for each of your checkboxes, add two new attributes - ‘imgOn’ and ‘imgOff’. The value of these attributes should be the path to the images you want to use for the checked (’on’) and unchecked (’off’) states.

<input type="checkbox" value='2' imgOn='tick.gif' imgOff='cross.gif' />

and with luck, that should be you done.

See the code below:

//**************************************************
// Copyright 2005 - Andrew Burns
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
// either express or implied. See the License for the specific
// language governing permissions and limitations under the License.
//**************************************************
//**************************************************
// CheckBox Control
// ---------------
// By Andrew Burns, June 2005
// Modified Bruce Sandeman, June 2005
//
// Javascript file for creating a 'Checkbox' using images.
// Degrades softly to normal checkboxes if JavaScript is unsupported.
//**************************************************
// Function to attach an event handler function to an object
function attachCheckEvent ( oTarget, cEvType, fnHandler, bForceOneFn ){
if( bForceOneFn == null ) {
bForceOneFn = false;
}
if( bForceOneFn ) {
oTarget["on" + cEvType] = fnHandler;
} else {
if (oTarget.addEventListener) {
oTarget.addEventListener( cEvType, fnHandler, true );
} else if (oTarget.attachEvent){
oTarget.attachEvent( “on” + cEvType, fnHandler );
}
}
// Note: No assignment of form below:
// oTarget["on" + cEvType] = fnHandler;
// I don’t want to overwrite any other javascript that is applied, so instead
// I’ll not do anything. This way, we just fail softly…
}
// Create a closed OnClick function. This will deal with changing the image, and the hidden CheckBox field
function createCheckClickEventHandler( oImg ) {
obj = function( e ) {
if( oImg.chkBox.checked == true ) {
oImg.chkBox.checked = false;
oImg.src = oImg.offImage.src;
} else {
oImg.chkBox.checked = true;
oImg.src = oImg.onImage.src;
}
};
return obj;
}
function createKeyEventHandler( o ) {
obj = function( e ) {
var bSpaceKey = false;
if( e ) {
if( e.which == 32) {
bSpaceKey = true;
}
} else {
if( window.event.keyCode ) {
bSpaceKey = true;
}
}
if( bSpaceKey ) {
var oImg = o.oImg;
if( oImg.chkBox.checked == true ) {
oImg.chkBox.checked = false;
oImg.src = oImg.offImage.src;
} else {
oImg.chkBox.checked = true;
oImg.src = oImg.onImage.src;
}
}
};
return obj;
}
// Function to create checkboxes. Reads the the DOM attributes of text input tags.
function prepareCheck () {
// Get Input elements
var x = document.getElementsByTagName(’INPUT’);

// For each input element, if it is a checkbox, and has replacement images…
for (var i=0;i
if( (x[i].type == ‘checkbox’) && x[i].getAttribute(’imgOn’) && x[i].getAttribute(’imgOff’) ){

// Find Checkbox Location on screen. Hide the Checkbox
xpos = 0;
obj = x[i];
if (obj.offsetParent) {
while (obj.offsetParent) {
xpos += obj.offsetLeft;
obj = obj.offsetParent;
}
} else if (obj.x) {
xpos += obj.x;
}

ypos = 0;
obj = x[i];
if (obj.offsetParent) {
while (obj.offsetParent) {
ypos += obj.offsetTop;
obj = obj.offsetParent;
}
} else if (obj.y) {
ypos += obj.y;
}

x[i].style.visibility = ‘hidden’;

// Add a new image, and cache ‘checked’ and ‘unchecked’ images.
var oAnchor = document.createElement( “A” );
oAnchor.tabIndex = i+1;
oAnchor.href=”null”;
var oImg = document.createElement( “IMG” );
oImg.onImage = new Image();
oImg.onImage.src = x[i].getAttribute(’imgOn’);
oImg.offImage = new Image();
oImg.offImage.src = x[i].getAttribute(’imgOff’);
// Make it visibile, and absolutely positioned, so we can replace the CheckBox
oAnchor.style.visibility = ‘visible’;
oAnchor.style.position = ‘absolute’;
// Link between Hidden Checkbox and Image
oImg.chkBox = x[i];
x[i].oImg = oImg;

// Decide on the Initial image used for the image
// IE and Opera

if( document.all ) {
bOn = !( x[i].getAttribute( “CHECKED” ) == false );
} else {
bOn = ( x[i].getAttribute(”CHECKED” ) == “”);
}

if( bOn ) {
oImg.src = oImg.onImage.src;
} else {
oImg.src = oImg.offImage.src;
}
// Attach the click event hander. This should swap the image and the checkbox state
oImg.style.left = xpos + ( ( x[i].offsetWidth - oImg.width ) / 2);
oImg.style.top = ypos + ( ( x[i].offsetHeight - oImg.height ) / 2);
attachCheckEvent( oImg, ‘click’, createCheckClickEventHandler( oImg ) );
oAnchor.oImg = oImg;
attachCheckEvent( oAnchor, ‘keydown’, createKeyEventHandler( oAnchor ), true );
attachCheckEvent( oAnchor, ‘click’, function (e) { return false; }, true );
oAnchor.style.left = xpos + ( ( x[i].offsetWidth - oImg.width ) / 2);
oAnchor.style.top = ypos + ( ( x[i].offsetHeight - oImg.height ) / 2);
oAnchor.appendChild( oImg );
document.body.appendChild( oAnchor );
}
// if
}
// for
}
// Clear the elements used on page exit
function clearCheck () {
var x = document.getElementsByTagName(’INPUT’);
for (var i=0;i
if( (x[i].type == ‘checkbox’) && x[i].oImg ){
x[i].oImg.onclick = null;
x[i].oImg.onImage = null;
x[i].oImg.offImage = null;

x[i].oImg.chkBox = null;

x[i].oImg.src = null;
x[i].oImg.parentNode.removeChild( x[i].oImg );
x[i].oImg = null;
}
}
}
// Attach Events on page load to prepare the Checkboxes.
attachCheckEvent( window, ‘load’, prepareCheck);
attachCheckEvent( window, ‘unload’, clearCheck);

Right, so I was thinking about the XMLHTTPRequest handler. Well, okay, actually, I was thinking of Sandra Bullock, and this idea popped into my head…

You can use XMLHTTPRequests to make requests of a web server. Fair enough. And you can make requests of another site - check. And you can make many of them on one page - yup. And finally, you don’t have to do anything with the response - you see where I’m going with this yet?

Assume you have a function for creating XMLHTTPRequest objects. Consider the following:
var urlTarget = 'www.example.com'; // The site we want to DOS
var aStack = array();

aStack.push( oHTTP );
}
}

window.onload = setupDOS;
So, a user goes to a page. In the background, after they’ve loaded the page, JavaScript is creating a whole load of XMLHTTPRequest objects, and then using these to make requests of a target site. And as each object gets serviced, it makes another request.

Thus, if you had 1,000 users, they could be making 100,000 requests of another site. And the requests would be from 1,000 different clients. Isn’t that the point of a denial of service attack? I mean, imagine if this were put on Slashdot!

I haven’t actually tried this yet - I might knock something up over the next week - but I can’t see anything that would prevent this. Did I miss anything? Is this not possible?

Update: So I wrote a script to try it. You can download it here. Basically, as is often the way, Firefox is well thought out and safe - it refuses to open an XMLHTTPRequest to a different domain. Good behaviour, I reckon.IE6, though, warns you about active content without being very specific - and if you allow the active content, the code you can download works just fine thankyou. So, all you need to do is put some dynamic content on the page so that your IE6 users allow active content, and you’re away - DOS galore!

Comments from my old blog:

I had a response from Nicholas Zakas ( http://www.nczonline.net/ ):
“I *think* IE6 SP2 effectively protects against that by disallowing cross-domain requests. I know you said that you get a simple warning about active content, but I think that only happens if you’re running the file locally. If you run it on a server, I believe that you’d just be blocked. So, in order to create a serious DDOS, you’d have to have people go to the Web site, download the file, open it, and click “I don’t care” to the IE warning. While I understand your concern, I don’t think it’s a huge security hole at this point.”

Indeed, he’s right - it does disallow cross-domain requests if the file isn’t being run locally. It’s still a little worrying - most of the manuals for the various products I work with come in HTML with ‘active content’ for example - but clearly you’re then having to rely on some form of social engineering, and you won’t get as much (or, probably, enough) activity to have a serious effect.

By Andy Burns at 07:55:05 Tuesday 19th July 2005