../ How to NOT implement a login form

Growing up is a difficult task.

Out of the many difficulties we encounter in this process, one of the most challenging to deal with is to be found in the limitations of our caregivers and of those who came before us.

One day, we wake up, and we realize that we are born in a very difficult world. We realize that, depending on many factors, our life can experience different levels of pain. There is a pain however that is intrinsic to life itself. You will feel it, no matter how or where you're born. This pain is deeply connected with the ignorance of the people who came before us. No matter where we're born, no matter who we deal with between parents, teachers, work managers, politicians and so on. At some point we will face this hard problem

How can we overcome the limitations of the teachings that have been given to us?

I am not suggesting that everything we learn from our past is wrong. This is very much not the case. It is actually the opposite. Most of the things we do learn from our past are extremely useful. And this is the hard part of the problem. We know, intuitively, that we cannot throw it all away. Therefore, how do we differentiate beetwen it all? How can we select the wise and useful knowledge from the past and how can we discard the limiting beliefs, born out of ignorance, of those who who came before us?

Clearly, I cannot answer this question in a general way. I think only each one of us, using our own intuition, can come to an answer in regards to this. I do want to bring a small example however of a moment of realization. I want to write about when I discovered a limitation of one of my teacher at university.


For both my bachelor and master degree I went to the Computer Science department of Tor Vergata, one of the most famous and public university in Rome. Our department, since its inception, has always had the same website.

http://www.informatica.uniroma2.it/

The website was managed by the same professor who also taught the course about Operating Systems and Network Protocols. I'm writing this small article because recently this professor retired and got his pension, and they have given the responsibility of the site to a new PhD student. This means that probably in some months this website will no longer be there, as it will be replaced by another website.

When you go within the website you are welcomed with the following landing page

Now, there are various issues with this websites. For starter, there is no HTTPs, but only HTTP, and this is an issue since there is a login page that professors use everyday. Another issue leaks personal data of the professors, and therefore, out of respect for them, I will not discuss it. What I want to discuss rather is how the login form is implemented.

In the current implementation if you click on the Login text within the navbar you are presented with the following login form

This is the form that the various professors use in order to login within the portal and manage the various course material and things of the sort. By inspecting the HTML we see the form

<h1>Area docenti</h1>
<table>
<form name="f1">
  <tr><th>Username</th><td>
      <input type="text" name="j_user" size="16"
	     maxlength="16" id="username" onclick="this.value=''"/></td>
  </tr>
  <tr><th>Password</th><td>
      <input type="password" name="j_pass" size="16"
	     maxlength="16" id="password" onblur="return false;" /></td>
  </tr>
</form>

<tr><td>
    <input type="submit" value="    Ok    " name="submit"
	   onclick="return login();"/></td>
  <td>
    <input type="button" value="Annulla" name="annulla"
	   onclick="location.href='/home.htm';"/></td></tr>
</form>

Consider the javascript function that is executed when we click on the submit button, which is the login() function. Let's now open the network tab and try to login with the credentials user:password.

We see four different requests being made. By checking the Login.js script we see the implementation of the login() function, which is shown below

function login(){
	var pass=document.f1.j_pass.value;
	var user=document.f1.j_user.value
	document.loginForm.j_username.value=user;
	document.loginForm.j_password.value=hex_md5(pass);
	document.loginForm.submit();
	return false;
}

This code computes, client-side, the MD5 hash of the password typed in by the user in order to login, and then proceeds to send it in an HTTP POST to the endpoint /j_security_check. We can quickly check the request sent by the browser with burpsuite.

POST /j_security_check HTTP/1.1
Host: XXX
Content-Length: 59
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: XXX
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: XXX/j_security_check
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

j_username=user&j_password=5f4dcc3b5aa765d61d8327deb882cf99

Now, I've wondered, far and long.

Why would you hash the password client-side?

I wonder about this because, another thing to consider, is that currently the website does not support HTTPs, which means that there is no cryptography protection for the packets in transit.

So what's the threat model here? If the server receives the MD5 hash of the user password, it either

  1. Stores directly the hash
  2. Computes another hash on top of the MD5 hash

In both cases, what happens, pratically, is that the MD5 hash of the user password BECOMES the actual user password, for all intents and purposes.

This means that a malicious attacker, by simply observing the MD5 hash of a user over the network, something that can very well happen with enough patience and time considering the lack of cryptographic protections, can effectively login as that particular user by doing a POST query to the /j_security_check endpoint.


What does this tells us?

It tells me that this professor does not think about security of network protocols in a modern way. It tells me that he studied some basic network stuff, enough to get his position, and then he stopped learning. In all these years however he kept teaching to I don't even know how many people. And that is the real problem.

I refrain from judging typically, because I do understand that each one of us makes mistakes. No one is perfect, and that is a good thing, because perfection in itself is a flawed, idealistic and dangerous idea. In this particular case however there is a responsibility I felt has been betrayed. Actually, more than one.

  • The responsibility of producting technology that helps its users while protecting their data.

  • The responsibility of teaching young generations.

I do not know the intentions of this professor, and in this far away place (italy) the idea of responsible disclosure is as real as a vision of water springs in the depth of the desert. I believe this professor did not do it out of ill will, but rather out of ignorance. I'm not able to contact him at this point, nor do I think it would change anything, because intentions, while they do matter, cannot make the damage disappear.

Because some hurt, is direct and immediate, while other hurt is slow and it takes time to manifest, but it's still damaging and limiting. Receiving a low quality education is like slowly poisoning yourself into thinking, either that you are too stupid to learn, or that you know a lot, while in reality you do not have the first clue about what you are and what you're studying. In the long run, expose to bad education can make you doubt your own ability and produce dangerous effects for yourself and the people around you.

I was able to understand, analyze and finally overcome his mistakes because, thankfully, the world is large, and internet has allowed me to explore new ideas and to extract new knowledge from people all over the world. This is how I deal with the limitations of my caregivers:

by observing everyone, and learning something from everyone

I feel like in Italy we're so filled with professors like that. People who know a little bit of something, and have the power to teach the young generations, who, just for their being young and naive, know less than them. In their teachings, these professors are limiting their students.

The first thing a professor should tell his students, in my opinion, is not what he/she knows, but rather, what he/she does not know.

This is the limit of my knowledge. Up until there, I can guide you, I can help you, I can support you. But beyond that, we're all the same. Conscious beings who have just woke up in the middle of a long dream, trying to find a path in this unknown land we call home. So learn, learn what I know, and then help me, help us, to know more, for there is always more to know.

Knowledge should not divide the relationship between students and professors. Knowledge is not there to make us feel superior, nor ignorance is there to make us feel stupid. The universe is so, so large that no matter how much you know, ultimately there is countless things you do not know and you will never know. Knowledge is something we build and share together, to make us all stronger.

I hope this website will change in order to become more worthy of the role it is supposed to have in the life of the students and professors who use it regularly.