I need a simple solution here... I'm pretty sure this is possible, I just don't know how to set it up.
I need squid to redirect all users to a simple user acceptance agreement before allowing them out to the internet. No username and password, they either accept the agreement and get allowed access, or the don't and get a permission denied page.
I don't want to have anything complicated, lets keep it simple if we can.
I have reviewed this: http://wiki.squid-cache.org/ConfigExamples/Portal/Splash#Portal_Splash_Pages
However its not very clear to me...
Thanks in advance...
From auth_param section in squid.conf file:
Specify the command for the external authenticator. Such a program
reads a line containing "username password" and replies "OK" or "ERR"
in an endless loop. "ERR" responses may optionally be followed by a
error description available as %m in the returned error page.
By default, the basic authentication scheme is not used unless a
program is specified.
There are lots of examples around. This link has an example of a custom squid helper in PHP. It can easily be modified to have a checkbox for agreement iso a username/password authentication.
Related
I am learning PHP, and I am obsessed with learning security. I know a few about some kind of attacks likes injections, session theft, etc., but I would like to code my own CMS with a perfect security (if possible).
Reading I drop on .htaccess security in directories. This is a good option because all my CMS files are in one directory. I just read this in a website:
HTAccess is the most secure method of password protection, as it relies on the Web server, so the valid usernames and passwords are never shared with the Web browser or stored in the HTML like they can be with other scripts.
Is this true? I mean, it is "unhackeable"? Of course with extra security (like hidding the .htaccess file).
If this is true, I mean, there is no way to hack a site with .htaccess security, how can I use a form (instead of the popup window) so I can log in my CMS? Is there a way to use a "Forgot Your Password" option?
Any help will be apreciated, as examples and links for reference.
HTAccess is the most secure method of password protection, as it
relies on the Web server, so the valid usernames and passwords are
never shared with the Web browser or stored in the HTML like they can
be with other scripts.
I'm a little scared of the person who wrote this sentence originally.
Usernames and passwords would never be shared with the web browser or stored "in the HTML" except in the cases of the most rank disregard for hygienic programming practices. That someone would even present that as an "option" as a straw man argument is troublesome. I recommend finding a better guide.
The htaccess mechanism for server security is also a bit of a misnomer. The .htaccess file in directories is really intended to be a mechanism for clients on shared hosting sites to have some degree of control over Apache configuration variables -- which is a complete non-starter for "totally secure CMS system" (as if such a thing were a possibility. :) You should expect to have complete and total control over your Apache configuration, including all authentication and authorization and access control mechanisms. The .htaccess files are re-loaded, re-parsed, and re-configure the server on every single request but the site-wide Apache configuration is loaded once, parsed once, and configures the server once.
The server-based mechanisms rely upon either HTTP basic authentication (which is roughly akin to shouting your user name and password in a crowded room) or HTTP digest authentication (which is significantly better and if your users pick good passwords, probably even vaguely safe). Tunneling either one through TLS would be wise. (Heck, if you really want "security", you might even go to the effort of using client certificates.)
Note that these mechanisms ask the browser to pop up a dialog box for authentication. If you want to integrate the username and password into your web page in a "beautiful" way, then you will need to do all the username and password authentication checks via a form submission, storing session information, and checking your internal security mechanisms to provide authorization whenever it is necessary. You will be responsible for everything. (And, again, TLS is the way to go.) The web server cannot help you at all. (And you further won't be sending usernames, passwords to the browser in HTML... sheesh. That still scares me.)
is this what your looking for? this will allow you to use a php form to login through htaccess
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
?>
reference
I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn't achieve it. I gave all(text, password and hidden fields) the form fields' values including the ticket generated by Central Authentication System. But nothing happens. Either there isn't any security issue behind the login page ( :P ), or I couldn't login to the page (100% possibility :D ). For extra info:
These are login fields. ;)
username=
&password=
<=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login
Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?
Thanks in advance. ;)
I had similar problems; can't speak for you, but sounds like you have about as much website knowledge as I do (which ain't much!) - no offense intended. In my case I'm not sure I'm understanding the most most basic structural elements of the website, such as what URL to point the scan at, and then concatenating that correctly with the login pages in the policy. I'm far better at the network and infrastructure penetration testing :D
I did a search in a search engine for "Nessus HTTP cookie import", and found that Tenable discussed this on their podcast, episode 14:
http://blog.tenablesecurity.com/2009/11/tenable-network-security-podcast---episode-14.html
If you look at the "Stories" note on the above web page, there's a hint to use the "Export Cookies" Firefox add-on. The add-on has some guidance, but essentially:
Install the add-on to your browser (I'm using the OWASP Mantra browser; I urge you to look at it)
Restart your browser
Login into the subject website and authenticate
From the Tools menu, go for "Export Cookies"
Save to file, and point your Nessus scan policy at that file
NOTE: I'm still trying this now, but thought I'd post the possibility anyway in case I forget - I will update this thread with a confirm or deny shortly.
Best of luck!
UPDATE: Well, it didn't work for me on first attempt. I'm confirming I don't have any conflicting or superseding settings in the policy, but if that doesn't work it's on to Tenable Support, I fear...
According to the documentation, besides importing cookies, the other way to do it (currently at 7.0) is:
Create new scan
Web Application Tests
Credentials:
which are filled out like these (taken from documentation):
Username: Login user’s name.
Password: Password of the user specified.
Login page: The absolute path to the login page of the application, e.g., /login.html
Login submission page: The action parameter for the form method. For example, the login form for: <form method="POST" name="auth_form" action="/login.php"> would be: /login.php
Login parameters: Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This field can be used to provide
more than two parameters if required (e.g., a group name or some other piece of information is required for the authentication process).
Check authentication on page: The absolute path of a protected web page that requires authentication, to better assist Nessus in determining authentication status, e.g., /admin.html.
Regex to verify successful authentication: A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful
However, looking at the reports, in my case, it couldn't authenticate for some reason
Let's say I have a swf with a movie or something (it's a stream actually but it doesn't really matter).
I created a quite secure way to get to the page where it is displayed (as embed). The only problem is this:
How do I stop someone to view source or use something like Firebug and send the address of the file to somebody else.
I want them to see the result but not be able to send it to anyone else.
The platform for my site is LAMP.
You can't do this.
if you don't want the client to know something, the only option is to not tell it;
if you don't tell the client where the file is, he can't possibly view it.
What you should do instead, is to have some authentication and authorization in place, so that only authenticated and authorized users can access said address. That way users can share the address as they like, but unauthorized users can only get "Access denied" messages.
This does not prevent authorized users from downloading the file and hosting it somewhere else, though. If you don't trust them not to do this, don't authorize them.
I created a quite secure way to get to the page where it is displayed
intriguing. Please describe this secure way in detail.
If its secure in the sense that it authenticates and authorises the user, then it provides the security you ask about from the sharing of URLs.
You could implement a refer[r]er check to prevent users accessing the file directly.
$referer = $_SERVER['HTTP_REFERER'];
$components = parse_url($referer);
if ($components['host'] != "www.example.com") {
// User didn't access file from your site.
}
This can be circumvented by spoofing the referer header but should defeat casual users.
Naturally, this doesn't prevent someone downloading and re-hosting the file.
I want to create a log in system using htaccess and htpasswd file and PHP for the server-side code, but when the user logs in I want to be able to identify that user, so how can I know what the user typed in as their username using PHP code (I assume I won't need to know the password if they've managed to access the restricted page)?
Many thanks,
Ben
You just need the following to get the username that is currently in use for an authenticated session:
$_SERVER['PHP_AUTH_USER']
rev1
In light of #Ben's comment I've now found the section in the PHP documentation at HTTP authentication with PHP that explains what's going on:
As of PHP 4.3.0, in order to prevent
someone from writing a script which
reveals the password for a page that
was authenticated through a
traditional external mechanism, the
PHP_AUTH variables will not be set if
external authentication is enabled for
that particular page and safe mode is
enabled. Regardless, REMOTE_USER can
be used to identify the
externally-authenticated user. So, you
can use _SERVER['REMOTE_USER'].
Comcast has changed their login process so it happens in two steps. Instead of two input boxes for username and password, you submit your username first. Then on a second page you enter your password.
https://www.comcast.com/Customers/CustomerCentral.cspx
Due to some recent security
improvements, we now require you to
enter your user name and password in
two separate steps.
What could the security improvement possibly be in this system? If anything it seems less secure since you can confirm the existence of a username independently from it's password.
Any ideas on what they're accomplishing here?
My guess would be that they are targetting specific phishing/keylogging software which is "used to" finding all the login information on the same page. It's making the job of some malicious software a little harder.
If you use the "automatically fill in my forms" feature of many browsers, this will also separate the login information into two separate entries in the browser's data store, again making things just a little harder for any software which might try to exploit this feature.
Not sure if Comcast is doing the same thing, but I know a lot of bank websites I use lately started doing the following:
Prompt you for your username
Look up an image and a string that you specified at your account creation.
Display that image + string along with the password box.
The stated goal is so that, if you as a user notice that the image and string don't match what you picked when you created the account, you get suspicious and don't enter your password.
What is the benefit here? I don't see any either, as an attacker's script can just look up the image and string from the real login page. Maybe it makes dumb people feel more safe.
It is strange, on the password page they require your email and password, not the user name.
The user name is not a secret, as you use it in your mail address probably....
They still allow you to "stay signed in" ...
So Actually, I don't think there is a real security benefit
You can get directly to the 2nd login page if you bookmark it....
Simply so when you login to more secure areas of my account, you need to reenter your password instead of use the remember-me function, so if someone gets on the computer, all they can do is access email from a normal session. Yahoo does this also.