John's employer needed a small web app built, so someone in management went out and hired a contracting firm to do the work, with the understanding that once it was done, their own internal software teams would do maintenance and support.
Fortunately for John's company, their standard contract included a few well-defined checkpoints, for both code quality audits and security audits. It's the last one that's relevant in this case.
There are three things you should never build for your application: date handling logic, encryption algorithms, or authentication mechanisms. These are all things that sound simple on the surface, but are actually quite difficult. You will mess them up, and you'll regret it. What's remarkable here, however, is seeing how badly one can mess up authentication:
$(document).ready(function() {
$("#password").val("");
$("#button").click( function() {
if($("#password").val() == "<?php echo $rowFromDatabase['admin_password']; ?>"){
showAdminInterface();
}
else
{
alert('Password not valid :(');
};
});
});
What you see here is client-side JavaScript. When the user clicks the wonderfully named #button
, we compare their #password
entry against… <?php echo $rowFromDatabase['admin_password']; ?>
.
Not only are they storing the administrator password in plaintext in the database, they're dumping the admin password in the body of the document. Anyone can just hit "view source" and log in as an administrator.
Obviously, this failed the audit. "But," the contractor said, "it's perfectly safe, because we disabled right clicks, so no one can view source."
Shockingly, this still failed the audit.