How to completely destroy a script and make it disappear forever.

On Oct 17, 7:49*pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

Jorge wrote on 17 okt 2008 in comp.lang.javas cript:

On Oct 17, 4:08*pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

Secure clientside scripting authentication is a contradictio in
terminis.

I neither do nor said nothing about "secure clientside scripting
authentication" .

You don't need to. your Q is clear as it is.

It can be the only reason you asked about
getting rid of a login page script on the client.

It's not the only reason. The auth. request itself is obfuscated. It's
not a plain post-a-form. The details of the structure of the auth.
request are hidden if that code is out of sight. I don't want someone
to keep trying auth. requests one after the other. They can't if they
don't know its structure. That's what I'm trying to hide.

--
Jorge.

Jorge schreef:

On Oct 17, 7:07 pm, Erwin Moller
<Since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

>Hi Jorge,

Is this all about obfuscating?
In that case you might reread Evertjan's short answer, because that sums
it up quite nicely.
Sorry, that is just the way it is.

Remember that everything you send to the browser is, well, send to the
browser. Anybody can get his hands on it, inspect it, tweak it, etc.

I know that. The authentication is done at the server and I could
leave it as it is now. But I'm obfuscating the code that builds the
authentication request as that will disuade most (not all) people to
even try to guess the details of the structure of the auth. request,
even though, I repeat, the authentication is done at the server side.

With the previous version of firebug, it was disappearing from the
scripts popup menu.

if (!obfuscated) { tinker(); } === (!obfuscated && tinker())

--
Jorge.

Hi Jorge,

Well, I don't know what or why you build it like that, BUT: wouldn't
things be much easier (and more secure) if you just used https?

What is it excactly you are trying to avoid?
Some scriptkiddo?

Regards,
Erwin Moller

--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare

On Oct 17, 7:49*pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

>
You don't need to. your Q is clear as it is.

It can be the only reason you asked about
getting rid of a login page script on the client.

Besides, handling the authentication isn't the same thing as
authenticating.

--
Jorge.

On Oct 17, 8:09*pm, Erwin Moller
<Since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

Hi Jorge,

Well, I don't know what or why you build it like that, BUT: wouldn't
things be much easier (and more secure) if you just used https?

But that solves another different problem.

What is it excactly you are trying to avoid?
Some scriptkiddo?

Or the wannabe-a-hacker child of an employee, or ..., you never know.

--
Jorge.

Jorge wrote on 17 okt 2008 in comp.lang.javas cript:

On Oct 17, 7:49ÿpm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

>Jorge wrote on 17 okt 2008 in comp.lang.javas cript:

On Oct 17, 4:08ÿpm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote

:

>>

>Secure clientside scripting authentication is a contradictio in
terminis.

I neither do nor said nothing about "secure clientside scripting
authentication" .

You don't need to. your Q is clear as it is.

It can be the only reason you asked about
getting rid of a login page script on the client.

It's not the only reason. The auth. request itself is obfuscated. It's
not a plain post-a-form. The details of the structure of the auth.
request are hidden if that code is out of sight. I don't want someone
to keep trying auth. requests one after the other. They can't if they
don't know its structure. That's what I'm trying to hide.

The amount of malicious requests is not in the ease of some sending by
many, but in the fact that one bad guy can sent quite a lot.

Your obfuscative quest is like Don Quigote's,
and I have nothing against windmills.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

On Oct 17, 8:25*pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

The amount of malicious requests is not in the ease of some sending by
many, but in the fact that one bad guy can sent quite a lot.

A DoS attack is a thing, and being able to get a password by the brute
force is another.

Your obfuscative quest is like Don Quigote's,
and I have nothing against windmills.

Security must be seen from every angle.

--
Jorge.

On 2008-10-17 20:33, Jorge wrote:

>The amount of malicious requests is not in the ease of some sending by
many, but in the fact that one bad guy can sent quite a lot.

A DoS attack is a thing, and being able to get a password by the brute
force is another.

Then add a delay after a failed login attempt before you send a
response. Force people to use better passwords. Keep track of how many
login attempts are made from the same IP-Address in a specified time
frame, and lock out those who exceed the limit. Brute forcing takes a
while, and with these three measures (all on the server side!) you can
make it very hard.

>Your obfuscative quest is like Don Quigote's,
and I have nothing against windmills.

Security must be seen from every angle.

Half-hearted attempts at security, i.e. measures that are only effective
against lazy script kiddies, give a false sense of security. To guard
youself against people who would brute-force passwords, there is *one*
big and strong door that you really have to close. Putting up fences and
warning signs around it won't do any good. In your case (login), that
big strong door is on the server, because you can't possibly control the
client.
- Conrad

On Fri, 17 Oct 2008 11:05:42 -0700 (PDT), Jorge <jo***@jorgecha morro.comwrote:

>On Oct 17, 7:49Â*pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

>Jorge wrote on 17 okt 2008 in comp.lang.javas cript:

On Oct 17, 4:08Â*pm, "Evertjan." <exjxw.hannivo. ..@interxnl.net wrote:

>Secure clientside scripting authentication is a contradictio in
terminis.

I neither do nor said nothing about "secure clientside scripting
authentication" .

You don't need to. your Q is clear as it is.

It can be the only reason you asked about
getting rid of a login page script on the client.

It's not the only reason. The auth. request itself is obfuscated. It's
not a plain post-a-form. The details of the structure of the auth.
request are hidden if that code is out of sight. I don't want someone
to keep trying auth. requests one after the other. They can't if they
don't know its structure. That's what I'm trying to hide.

I think you're taking the wrong approach, recently I had some scriptkiddies
from NL decide to play games with the one form on my web site, and, after
some playing around I defeated them with a couple simple timestamps and
some minimal query content checking (for URLs).

As another pointed out, correct authentication is to use https, you cannot
hide normal http traffic as it is available to the client as part of
normal operation.

Another misthink is this idea of defeating a particular tool, firebug,
what of other tools, what of people simply looking into their browser
cache files? You cannot sidestep that with anything a followup script
can do -- the first script is tucked away in client browser.

Observation, script-kiddies are too stupid to go searching too deep.

Ultimate answer? What I did was to put in place a logging system and
some query validation:

(server-side, awk)

if (query_error) {
printf "[%u]\n", naddr out
print "query error:" out
if (and(query_erro r, 1)) {
print " query contains url" out
}
if (and(query_erro r, 2)) {
print " bad form timestamp" out
}
if (and(query_erro r, 4)) {
print " bad data timestamp" out
}
if (and(query_erro r, 8)) {
print " your time off >3 hours" out
}
print "use back button, try again" out
print "please report false positives" out
close(out)
printf "Location: %s\n\n", out
###print "Status: 205 Reset Content\n"
++do_exit; exit
}

Another cron job scans the logfile and locks out script-kiddies via the
firewall, so they no longer get access to the form.

Finally, the firewall rate limiter will jail any IP requesting services
too often. Having some script-kiddies play with your site can be a
wonderful opportunity to try out and install various strategies at the
server -- where the kiddies can't play and your scripts are safe from
public view. Or should be, if you properly implement access wrappers:

$ ls -l
total 28
drwxrwx--- 2 grant wheel 208 2008-10-18 00:04 archive/
-r-sr-xr-x 1 grant wheel 3104 2008-10-05 09:07 cc2ip.cgi*
-rwxrwxr-x 1 grant wheel 11613 2008-10-17 06:52 index.html*
-rw-r--r-- 1 grant wheel 5708 2008-10-17 06:52 index.html.gz
-rwxrwxr-x 1 grant wheel 444 2008-10-05 09:07 lookup-ip*
drwxrwxrwx 2 grant wheel 240 2008-10-18 00:02 public/
drwxrwx--- 2 grant wheel 128 2008-10-18 07:14 server/

Grant.
--
http://bugsplatter.id.au

Jorge <jo***@jorgecha morro.comwrites :

It's not the only reason. The auth. request itself is obfuscated. It's
not a plain post-a-form. The details of the structure of the auth.
request are hidden if that code is out of sight. I don't want someone
to keep trying auth. requests one after the other. They can't if they
don't know its structure. That's what I'm trying to hide.

Removing the script after it has been loaded will not protect you.
Nothing will, against a dedicated and even slightly competent
attacker.

Once you sent the script to the client, you should act as if
everything in it was common knowledge to everybody on the internet
(from a security perspective). Once it's on the client, nothing can
put it back in the box. Any attempt to do so will only fool those
who are pretty much incapable of exploiting it anyway.

/L
--
Lasse Reichstein Holst Nielsen
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

On Oct 17, 9:22*pm, Conrad Lender <crlen...@yahoo .comwrote:

On 2008-10-17 20:33, Jorge wrote:

The amount of malicious requests is not in the ease of some sending by
many, but in the fact that one bad guy can sent quite a lot.

A DoS attack is a thing, and being able to get a password by the brute
force is another.

Then add a delay after a failed login attempt before you send a
response. Force people to use better passwords. Keep track of how many
login attempts are made from the same IP-Address in a specified time
frame, and lock out those who exceed the limit. Brute forcing takes a
while, and with these three measures (all on the server side!) you can
make it very hard.

Your obfuscative quest is like Don Quigote's,
and I have nothing against windmills.

Security must be seen from every angle.

Half-hearted attempts at security, i.e. measures that are only effective
against lazy script kiddies, give a false sense of security. To guard
youself against people who would brute-force passwords, there is *one*
big and strong door that you really have to close. Putting up fences and
warning signs around it won't do any good. In your case (login), that
big strong door is on the server, because you can't possibly control the
client.

* - Conrad

Thanks Erwin, Conrad, Grant, Lasse, Evertjan. I agree 100% with all
the things you said. I'm already doing most of the things that you are
suggesting (except fiddling with the firewall setup, Grant). May be
I'm just too paranoid. TFYT.

(Although you didn't even try to help me with the original
question :-)

Regards,
--
Jorge.