Rideout, I. (2023). Film Review: ‘Harry Potter and the Chamber of Secrets’ (2002). Reel Rundown. https://reelrundown.com/movies/Film-Review-Harry-Potter-and-the-Chamber-of-Secrets-2002
Due to a bad practice in securing the Chamber of Secrets Web Application, dark forces were able to gain access to it and started exploiting it. Thanks to Mr Harry Potter, he saved us again this time. Now, we need to practice how to safeguard it to prevent this from happening again. This episode will be important if you are planning for a career or preparing for an interview in Web development or Cybersecurity fields. In this episode, we will dive into how to secure our Chamber of Secrets, allowing access only for eligible wizards and protecting it against dark forces. This will be done in alignment with the continuation of using referencing and citation, as we did last episode. Before we delve into professional and reality terminologies, let’s start by establishing some laws and regulations for the Chamber of Secrets Website
- Password COMPLEXITY: Wizards must create passwords that combine magical symbols, numbers, and both upper and lower-case letters, creating an impenetrable shield against common spells (password cracking techniques).
- Hogwarts HASHING Spell: Before granting entry, a spell should be casted which transforms each wizard’s name into a unique code.
- SALTING Potion : To add an extra layer of flavor to the protection on each wizard’s hashed name making it even more resistant to dark arts (cyber-attacks).
- KEY DERIVATION Elixir : This magical elixir serves a dual purpose. First, it transforms the wizard’s password into a unique cryptographic key.
- Invisibility Cloak (Securing Credentials during Transmission): The Harry Potter cloak was protecting him during his adventures with Mr Argus Flich. The cloak made him unseen by dark creatures.
- The Dual Authentication Charm: According to our laws, ‘ Wizards require not only the enchanted key or password which is “SOMETHING THEY KNOW” but also a special magical object “SOMETHING THEY HAVE” for example, Ron Weasley Deluminator to gain access. This ensures that even if one layer is breached, the Chamber remains secure.
1. Overview:
Websites have become dynamic in terms of interacting with users and storing their data, however theses data are valuable for hackers because a large scale of people are using web applications (Deepa et al., 2016). Accordingly, there is a necessity for designing websites that has fewer vulnerabilities especially from the developer side because while designing a website it is not attainable to trust the user behaviour (Sullivan et al., 2012). Therefore, in the following lines there will be various approaches for decreasing the attacking surface of user’s credentials.
2. Password Complexity:
According to Sullivan et al. (2012), passwords attacks can occur by brute forcing attack in which the attacker uses automated tools to test every single match of characters. Likewise, dictionary attack can also be implemented using a list of commonly used passwords is used to guess the password (Sullivan et al., 2012). As a result, it is necessary to obligate users into using long and complex passwords (Sullivan et al., 2012). However, these approaches are used to elongate the amount of time needed by hackers to attain the passwords because in cyber world there is nothing unattainable, that is why it is suggested also to change the credentials periodically (Sullivan et al., 2012).
3. Hashing, Salting and Key Derivation Function:
Password hashing using algorithms is beneficial because when a user attempts login, the back-end side will compare the user input to the hashed passwords and validates the input (Sullivan et al., 2012). The use of salting is recommended by Sullivan et al. (2012), because it gives two different hashing values in case there are two identical passwords in the database. The approach of using key derivation function is used to secure even the easiest passwords in terms of guessing against dictionary attacks, by implementing a key over the stored hashed passwords in the database (Lake, 2022).
4. Securing Credentials during transmission:
HTTPS is preferable over HTTP because it encrypts the transmitted data and it is effective against eavesdropping attacks especially when the browsing session include passwords or payment data (Awati, 2022). Additionally, HTTPS guarantees that the user is browsing the real version of website not a malicious version (Awati, 2022). Secure Socket Layer (SSL) and Transport Layer Security (TLS) are used to secure the HTTPS sessions against being intercepted by attackers (Das et al., 2014). For instance, hackers may intercept a session and change the href tags to HTTP instead of HTTPS before the user receives the desired web page (Das et al., 2014). Additionally, hackers may alter the function of an input form by allowing it to redirect to another malicious URL (Sullivan et al., 2012). Moreover, SSL is also required to be implemented because web browsers tend to cache the user data which leave them exposed to attacks (Sullivan et al., 2012).
5. Securing the Stored Credentials:
Database can be protected by hiding how the developer refer to the username and password fields in the HTML code. It is crucial also that when a user input a username for example, not to specify which credential is wrong. According to CWE-548 (2006), it is a necessity to hide the PHP directories because leaving them exposed is considered a vulnerability and hackers can gain access to users data. For instance, hackers can use Dirbuster to look for browsable directories and gain access to sensitive information.
6. Supplementary Forms of Authentication:
Dual-factor authentications is used to protect the credentials by requesting an additional sort of validating the user identity using biometric authentication or a smartphone application (Rosencrance et al., 2021). Moreover this can also be done using One-Time-Password (OTP) sent via SMS, as mentioned by Das et al. (2014), this approach is used to secure the authenticity of users. However, locking the user account after several use of wrong credentials is beneficial against dictionary and brute force attacks (Sullivan et al., 2012). The lock of the account might be applied for some hours or until the user proves his identity by other methods of authentications (Sullivan et al., 2012). Another method is using CAPTCHA which is useful against brute forcing attacks by asking for a question or a task that can only be done by a human being (Sullivan et al., 2012).
7. Refrences:
Awati, R. (2022). Hypertext Transfer Protocol Secure (HTTPS). TechTarget. Retrieved from https://www.techtarget.com/searchsoftwarequality/definition/HTTPS
CWE-548. (2006). Common Weakness Enumeration. Retrieved from https://cwe.mitre.org/data/definitions/548.html
Das, M. L., & Samdaria, N. (2014). On the security of SSL/TLS-enabled applications. Applied Computing and Informatics, 10(1–2), 68-81. Retrieved from https://doi.org/10.1016/j.aci.2014.02.001
Deepa, G., & Thilagam, P. S. (2016). Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology, 74,160-180. Retrieved from https://doi.org/10.1016/j.infsof.2016.02.005
Lake, J. (2022). What is a key derivation function (KDF) and how do they work? Comparitech. Retrieved from https://www.comparitech.com/blog/information-security/key-derivation-function-kdf/
Rosencrance, L., Loshin, P., & Cobb, M. (2021). What is Two-Factor Authentication (2FA) and How Does It Work ? TechTarget. Retrieved from https://www.techtarget.com/searchsecurity/definition/two-factor-authentication
Sullivan, B., & Liu , V. (2012). Web Application Security, A Beginner’s Guide. McGraw Hill.