Question

can you create two examples for each of the vulnerabilities in the category below and possible fixes

Use of a Broken or Risky Cryptographic Algorithm

Improper Restriction of Excessive Authentication Attempts

Use of a One-Way Hash without a Salt

Answer 1

The software is used one-way cyrptograhic hash which is always against the input but hard to invert given the image of a random input. the input are like password but software will not use a salt as part of input. the ideal cryptographic hash function four main properties:

• it is easy to compute the hash value for any given message.
• it is not easy to generate a message that has given hash one-way function
• it is not easy to modify a message without changing the hash
• it is not easy to to find two different messages with the same hash

The Rainbow table is precomputing lookup table offering a time memory trade-off is used in recovery plain text password from a password hash generated by hash functions such as cryptographic has function. They are compromises between pre-computing all plaintexts to hashes are looking up through table of plaintext, hash. The table only stores the starting plaintext, and the final has choose to end with, and so chain containing millions of hashes can be represented with only a single starting plaintext, and single finishing hash.

suppose, we have hash and want to find the plaintext, so we search saved hashes. if we find that hash, we reconstruct the hash-chain and after each new generated hash we search through the saved hashes to see if we already know it.

Some hash function have become vulnerable. along with the mistake of not using a salt this makes it easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables. it's should be noted that, despite common perception, using a salt with a hash does not sufficiently increase the protection level. the attackers who is targeting an individual password, or who has a large amount of computing resources available can still pre-compute the hash. the use of a salt only slightly increase the computing requirements for an attakers compared to other strategies such as adaptive has functions.

The real danger is offline cracking. Hackers break into a system to steal the encrypted password file or develop or secretly listen to conversation on an encrypted exchange across the internet. they are then free to decrypt the passwords without anybody stopping them. if an attacker can obtain the hashes through some other method such as SQL injection on a database that stores hashes, then the attacker can store the hashes offline and use various techniques to crack the passwords by computing hashes effictively.

The Detection can be done by following ways:

• Source Code Weakness Analyzer.
• Context-soruce code weakness analyzer
• Binary/Bytecode disassembler then use manual analysis for vulnerabilities & anomalies.

Example 1:

• A user is looged in if their given password matches a stored password:

  unsigned char *check_passwd(char *plaintext) {
  ctext = simple_digest("sha1",plaintext,strlen(plaintext),...);
  //login if hash matches stored hash
  if(equal(ctext,secret_password())) {
  login_user();
  }
  }

  This code does not provide a salt to the hasing function, thus increasing the chances of an attacker being able to reverse the hash and discover the original password. the code will fixed as follows:
  

  unsigned char *check_passwd(char *plaintext) {
  strcpy(stext,plaintext);
  strcat(stext,salt);
  ctext = simple_digest("sha1",stext,strlen(stext),...);
  //login if hash matches stored hash
  if(equal(ctext,secret_password())) {
  login_user();
  }
  }

Example 2

• In this example, a new user provides a new username and password to create an account. The program hashes the new user's password then stores it in a database.

  unsigned char *add_db(char *user,char *pass) {
  cpass = simple_digest("shah1",pass,strlen(pass),...);
  update_db(user,cpass);
  }

  there is no salt providing to the hasing function in the code, the chances of an attacker being able to reverse the hash and discover the original password if the database is compromised.
  

  unsigned char *add_db(char *user,char *pass) {
  strcpy(spass,pass);
  strcat(spass,salt);
  cpass = simple_digest("shah1",spass,strlen(spass),...);
  update_db(user,cpass);
  }

The adaptive hash function can be configured change the number of repetition of process. it can be configured to randomize the salt, the number of repetition of process and salt are saved in the database along with the hash. there is active debate about which of these functions is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. the use of these function can have an impact on performance, so they require special consideration to avoid the action of denying of service attacks.