His passwords was SHA-256 hashed. Was it possible for attacker to reverse actual password ? Unlikely... all the needed to do is to write a union select:
select username, password from users where username = '-1' union select 'admin','8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918' from dual;
password is hashed 'admin' string, and he was able to trick authentication
checking logic, by providing 'admin' in password string. Simple right ? So I started wondering is there a way to hash passwords in a way that would withstand such attack (of course if your app is prone to SQL-Injection you fix IT! not leave it and wish for the best). And I there is a way.
The algorithm for hash creation could be something like:
- Define a cryptographically secure hash function like: sha256
- Define web application global secure random password, lets denote it: key
- Get username credentials (username, password).
- Create a salt := sha256(username + secure_random)
- Calculate hash:= sha256(salt + password + key)
- Store salt+hash in database.
And now the checking algorithm:
- Lookup (salt+hash) tuple for given username.
- Calculate provided_hash:= sha256(salt + provided_password + key)
- Compare provided_hash with hash
- If they match your user can be authenticated
P.S.: SHA can be replaced by some KDF function like PBKDF2 or scrypt.