One day I stumbled upon a web app testing environment that used client side Javascript to perform authentication.
It was very simple to break into because it hashed the password using a very simple checksum algorithm.
I created this presentation to share my thoughts on what I found.
6. “checksums are often used to verify data integrity, but
should not be relied upon to also verify data authenticity"
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
7. “It is infeasible to find two different messages
with the same [cryptographic] hash”
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
8. It should be feasible to find two different messages
with the same checksum.
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
10. function
jesChecksum(str)
{
…
for
(i
=
0;
i
<
(str.length);
i++)
{
tmp
=
str.charCodeAt(i)
*
primes[i];
rtn
=
rtn
+
tmp;
}
…
}
The simplicity of this algorithm makes it very easy to solve.
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
11. Thanks to Unicode:
Solve 2x + 3y = 9887 over integers
One such solution is “Ŏఁ”
Ŏఁ = String.fromCharCode(334, 3073);
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
12. Using the right tool for the job
requires you to understand the tools available
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
13. Don’t roll your own security either
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
14. And definitely don’t do security client side in Javascript
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing