Javascript hashing in AJAX inputs, more security?

Question

Javascript hashing in AJAX inputs, more security?

Of the many posts I've seen on the site, logins executed by AJAX or traditional forms are as safe as one another. (re: Login / session cookies, Ajax and AJAX security and javascript cookies, is this safe? )

My question is / is:

If I use a user password (via a hash page on the client side / javascript library) before sending it to the server, will I increase security from people who have paused?
If I put a form token (one random, another based on time), does this cover CSRF attacks?
Can I cover all my bases after all this? Will this form be safe?

+5

javascript security ajax hash csrf

Joseph Szymborski Nov 18 '11 at 2:23

source share

3 answers

, 3. ! , AJAX , .

. , , , .

, .

cookie .
.
(, ) .
, .
cookie HttpOnly - HTTPS alo cookie .
, , , . .
" ", http-.
, 2
, , . , , , . , .

+1

Cheekysoft 18 . '11 12:10

, , . , , . , , .

0

qw3n 18 . '11 2:33

rook · Accepted Answer · 2011-11-18T02:30:27+0000

In fact, this can be a serious security issue. The reason passwords are hashed is because of failure planning. An attacker can gain access to a data store (sql injection) and then obtain a hash. If you just log in with a hash, then the attacker does not need to crack the recovered hash in order to gain access to the application.

Repeat attacks are also a problem. If I sniff a hash during authentication, what prevents me from simply reproducing this request for authentication?

, , nonce, . Microsoft SMB NTLM- - , .

SSL, . OWASP A9 , . , , .

CSRF . , , " " .

Javascript hashing in AJAX inputs, more security?

More articles: