Compare commits
5 Commits
57cc2c3fa0
...
296bda7f76
| Author | SHA1 | Date | |
|---|---|---|---|
| 296bda7f76 | |||
| f395e5ac6f | |||
| 3f7a2d2d61 | |||
| fb80cb78eb | |||
| c06e1bd64b |
19
passman-dev/Caddyfile
Normal file
19
passman-dev/Caddyfile
Normal file
@ -0,0 +1,19 @@
|
||||
# HTTP site: redirect everything to HTTPS
|
||||
http://localhost {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
|
||||
# HTTPS site
|
||||
https://localhost {
|
||||
reverse_proxy web:80
|
||||
tls internal
|
||||
|
||||
# Optional: security headers (defense-in-depth)
|
||||
header {
|
||||
X-Content-Type-Options "nosniff"
|
||||
X-Frame-Options "DENY"
|
||||
Referrer-Policy "no-referrer"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -22,6 +22,12 @@ CREATE TABLE IF NOT EXISTS `dummy` (
|
||||
`id` int(11) DEFAULT NULL
|
||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
||||
|
||||
-- Create a dedicated DB user for the web application (least privilege).
|
||||
-- Grant only the required privileges on the application database.
|
||||
CREATE USER IF NOT EXISTS 'passman_app'@'%' IDENTIFIED BY 'passman_app_pw';
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON pwd_mgr.* TO 'passman_app'@'%';
|
||||
FLUSH PRIVILEGES;
|
||||
|
||||
CREATE TABLE IF NOT EXISTS `login_users` (
|
||||
`id` int(11) NOT NULL AUTO_INCREMENT,
|
||||
`username` varchar(20) NOT NULL,
|
||||
@ -31,7 +37,7 @@ CREATE TABLE IF NOT EXISTS `login_users` (
|
||||
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
|
||||
|
||||
INSERT INTO `login_users` (`id`, `username`, `password`) VALUES
|
||||
(1, 'u1', 'p1');
|
||||
(1, 'u1', '$2y$10$L18u5/PyVkDgsce/DsUOQu0sKhTzh854Euhog3cVb1W4YAfgRzY8W'); -- php -r 'echo password_hash("p1", PASSWORD_DEFAULT), PHP_EOL;'
|
||||
|
||||
CREATE TABLE IF NOT EXISTS `notes` (
|
||||
`notesid` int(11) NOT NULL AUTO_INCREMENT,
|
||||
|
||||
@ -2,18 +2,30 @@
|
||||
services:
|
||||
web:
|
||||
build: .
|
||||
ports:
|
||||
- "80:80"
|
||||
# ports:
|
||||
# - "80:80"
|
||||
volumes:
|
||||
- ./php:/var/www/html
|
||||
environment:
|
||||
DB_HOST: db
|
||||
DB_USER: root
|
||||
DB_PASS: rootpass
|
||||
DB_NAME: pwd_mgr
|
||||
DB_USER: passman_app
|
||||
DB_PASS: passman_app_pw
|
||||
depends_on:
|
||||
- db
|
||||
|
||||
proxy:
|
||||
image: caddy:2
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
- caddy_data:/data
|
||||
- caddy_config:/config
|
||||
depends_on:
|
||||
- web
|
||||
|
||||
db:
|
||||
image: mariadb:11
|
||||
container_name: passman_db
|
||||
@ -30,4 +42,6 @@ services:
|
||||
|
||||
volumes:
|
||||
dbdata:
|
||||
caddy_data:
|
||||
caddy_config:
|
||||
|
||||
|
||||
@ -3,8 +3,8 @@
|
||||
// NOTE: In Docker, the DB host is the service name (e.g., "db"), not "localhost".
|
||||
|
||||
$DB_HOST = getenv('DB_HOST') ?: 'db';
|
||||
$DB_USER = getenv('DB_USER') ?: 'root';
|
||||
$DB_PASS = getenv('DB_PASS') ?: 'rootpass';
|
||||
$DB_USER = getenv('DB_USER') ?: 'passman_app';
|
||||
$DB_PASS = getenv('DB_PASS') ?: 'passman_app_pw';
|
||||
$DB_NAME = getenv('DB_NAME') ?: 'pwd_mgr';
|
||||
|
||||
// Create a DB connection.
|
||||
|
||||
@ -15,23 +15,23 @@
|
||||
<br />
|
||||
<ul>
|
||||
<li>
|
||||
<a href="http://localhost/passman/register.php">Registration Form</a>
|
||||
<a href="/passman/register.php">Registration Form</a>
|
||||
</li>
|
||||
<br />
|
||||
<li>
|
||||
<a href="http://localhost/passman/login.php">Login Page</a>
|
||||
<a href="/passman/login.php">Login Page</a>
|
||||
</li>
|
||||
<br />
|
||||
<li>
|
||||
<a href="http://localhost/passman/logout.php">Logout Page</a>
|
||||
<a href="/passman/logout.php">Logout Page</a>
|
||||
</li>
|
||||
<br />
|
||||
<li>
|
||||
<a href="http://localhost/passman/dashboard.php">Dashboard</a> (display passwords for websites)
|
||||
<a href="/passman/dashboard.php">Dashboard</a> (display passwords for websites)
|
||||
</li>
|
||||
<br />
|
||||
<li>
|
||||
<a href="http://localhost/passman/notes.php">Notes</a> (notes/comments/announcements)
|
||||
<a href="/passman/notes.php">Notes</a> (notes/comments/announcements)
|
||||
</li>
|
||||
<br />
|
||||
</ul>
|
||||
@ -41,18 +41,18 @@
|
||||
<br />
|
||||
<ul>
|
||||
<li>
|
||||
Test <a href="http://localhost/passman/test_hash.php">hashing</a> functions in PHP (server side)
|
||||
Test <a href="/passman/test_hash.php">hashing</a> functions in PHP (server side)
|
||||
</li>
|
||||
<br />
|
||||
<li>
|
||||
Test <a href="http://localhost/passman/test_encrypt.php">encrypting/decrypting</a> functions in PHP (server side)
|
||||
Test <a href="/passman/test_encrypt.php">encrypting/decrypting</a> functions in PHP (server side)
|
||||
</li>
|
||||
<br />
|
||||
</ul>
|
||||
|
||||
<br />
|
||||
Hacker's side (for using stealing cookies using XSS):
|
||||
<a href="http://localhost/passman/xss">http://localhost/passman/xss</a>
|
||||
<a href="/passman/xss">passman/xss</a>
|
||||
<br />
|
||||
|
||||
</body>
|
||||
|
||||
@ -26,46 +26,51 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
// }
|
||||
require_once __DIR__ . "/config.php";
|
||||
|
||||
// SQL injection mitigation: use a prepared statement with bound parameters.
|
||||
// User input is treated strictly as data, not as part of the SQL syntax.
|
||||
$stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?");
|
||||
|
||||
// Authentication with hashed passwords:
|
||||
// 1) Fetch the stored hash by username
|
||||
// SQL injection mitigation: use a prepared statement with bound parameters.
|
||||
// User input is treated strictly as data, not as part of the SQL syntax.
|
||||
// 2) Verify the submitted password with password_verify()
|
||||
$stmt = $conn->prepare("SELECT id, password FROM login_users WHERE username = ?");
|
||||
if ($stmt === false) {
|
||||
// Fail closed (do not leak details in production).
|
||||
die("Prepare failed.");
|
||||
}
|
||||
|
||||
$stmt->bind_param("ss", $username, $password);
|
||||
$stmt->bind_param("s", $username);
|
||||
$stmt->execute();
|
||||
$stmt->store_result(); // Needed to use $stmt->num_rows
|
||||
|
||||
$result = $stmt->get_result(); // Requires mysqlnd (usually enabled)
|
||||
unset($_POST['username']);
|
||||
unset($_POST['password']);
|
||||
|
||||
if ($stmt->num_rows >= 1) {
|
||||
// Regenerate session ID to prevent session fixation!
|
||||
//session_regenerate_id(true);
|
||||
if ($result && $result->num_rows === 1) {
|
||||
$row = $result->fetch_assoc();
|
||||
$stored_hash = $row["password"];
|
||||
|
||||
// Successfully logged in
|
||||
$_SESSION['username'] = $username;
|
||||
$_SESSION['loggedin'] = true;
|
||||
// Verify password against the stored hash.
|
||||
if (password_verify($password, $stored_hash)) {
|
||||
// Regenerate session ID to prevent session fixation!
|
||||
//session_regenerate_id(true);
|
||||
|
||||
//while ($row = $result -> fetch_assoc()) {
|
||||
// print_r($row);
|
||||
// $_SESSION['user_id'] = $row['id'];
|
||||
//}
|
||||
// Successfully logged in
|
||||
$_SESSION['username'] = $username;
|
||||
$_SESSION['loggedin'] = true;
|
||||
|
||||
// Close
|
||||
$stmt->close();
|
||||
$conn -> close();
|
||||
$stmt->close();
|
||||
$conn->close();
|
||||
|
||||
// Redirect to a dashboard page
|
||||
header("Location: dashboard.php");
|
||||
exit;
|
||||
header("Location: dashboard.php");
|
||||
exit;
|
||||
} else {
|
||||
$login_message = "Invalid username or password";
|
||||
}
|
||||
} else {
|
||||
$login_message = "Invalid username or password";
|
||||
}
|
||||
|
||||
$stmt->close();
|
||||
$conn -> close();
|
||||
$conn->close();
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
||||
@ -37,8 +37,17 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
$login_message = "Database error (prepare failed).";
|
||||
$result = false;
|
||||
} else {
|
||||
$stmt->bind_param("ss", $new_username, $new_password);
|
||||
$result = $stmt->execute();
|
||||
// Hash the password before storing it.
|
||||
// Never store login passwords in plaintext.
|
||||
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
|
||||
if ($password_hash === false) {
|
||||
$login_message = "Password hashing failed.";
|
||||
$result = false;
|
||||
} else {
|
||||
// Store the hash (not the plaintext password).
|
||||
$stmt->bind_param("ss", $new_username, $password_hash);
|
||||
$result = $stmt->execute();
|
||||
}
|
||||
$stmt->close();
|
||||
}
|
||||
|
||||
|
||||
84
passman-dev/php/passman/test_encrypt.php
Normal file
84
passman-dev/php/passman/test_encrypt.php
Normal file
@ -0,0 +1,84 @@
|
||||
<?php
|
||||
// Simple example of encrypting/decrypting data using a password
|
||||
|
||||
function getPasswordHash_Bin($username, $password) {
|
||||
$salt = hash('sha256', $username, true); // Compute salt as the hash of the username (parameter 'true' computes hash in bin format, default is hex)
|
||||
$saltedPwd = $salt . $password; // Get a salted password by combining salt and password
|
||||
$hashedPwd = hash('sha256', $saltedPwd, true); // Hash the salted password using SHA-256
|
||||
// Return the password hash and the salt
|
||||
return [
|
||||
'hash' => $hashedPwd,
|
||||
'salt' => $salt
|
||||
];
|
||||
}
|
||||
|
||||
function deriveEncryptionKey($username, $password) {
|
||||
// Compute binary hash of salted-password (and salt) from username and password
|
||||
$pwdHash = getPasswordHash_Bin($username, $password);
|
||||
|
||||
// Derive a secure key using PBKDF2
|
||||
$iterations = 100000; // Number of iterations for PBKDF2
|
||||
$keyLength = 32; // Key length = 32 bytes for AES-256
|
||||
$key = hash_pbkdf2('sha256', $pwdHash['hash'], $pwdHash['salt'], $iterations, $keyLength, true); // Parameter 'true' computes hash_pbkdf2 in bin
|
||||
return $key;
|
||||
}
|
||||
|
||||
// Encrypt data using AES-256-GCM
|
||||
function encryptData($data, $key) {
|
||||
$nonce = random_bytes(12); // 12 bytes for AES-GCM nonce
|
||||
$cipher = "aes-256-gcm";
|
||||
|
||||
// Encrypt the data
|
||||
$ciphertext = openssl_encrypt($data, $cipher, $key, OPENSSL_RAW_DATA, $nonce, $tag);
|
||||
|
||||
//echo "nonce: " . bin2hex($nonce) . "<br>";;
|
||||
//echo "tag: " . bin2hex($tag) . "<br>";;
|
||||
|
||||
// Concatenate nonce, tag, and ciphertext for storage
|
||||
$result = $nonce . $tag . $ciphertext;
|
||||
return base64_encode($result); // Encode to make it suitable for storage or transmission
|
||||
}
|
||||
|
||||
// Decrypt data using AES-256-GCM, extracting nonce, tag, and ciphertext from the concatenated string
|
||||
function decryptData($encryptedData, $key) {
|
||||
$cipher = "aes-256-gcm";
|
||||
|
||||
// Decode the base64-encoded data
|
||||
$encryptedData = base64_decode($encryptedData);
|
||||
|
||||
// Extract nonce (12 bytes), tag (16 bytes), and ciphertext
|
||||
$nonce = substr($encryptedData, 0, 12);
|
||||
$tag = substr($encryptedData, 12, 16);
|
||||
$ciphertext = substr($encryptedData, 28);
|
||||
|
||||
// Decrypt the data
|
||||
$decryptedData = openssl_decrypt($ciphertext, $cipher, $key, OPENSSL_RAW_DATA, $nonce, $tag);
|
||||
|
||||
return $decryptedData;
|
||||
}
|
||||
|
||||
|
||||
// Example Usage
|
||||
$username = "user123";
|
||||
$password = "securepassword";
|
||||
$dataToEncrypt = "Sensitive Data";
|
||||
|
||||
// Derive a symmetric encryption/dec key by hashing the password (and username as the salt) using PBKDF2 algorithm
|
||||
$encryptionKey = deriveEncryptionKey($username, $password);
|
||||
|
||||
// Encrypt the data
|
||||
$encrypted = encryptData($dataToEncrypt, $encryptionKey);
|
||||
|
||||
// Decrypt the data
|
||||
$decrypted = decryptData($encrypted, $encryptionKey);
|
||||
|
||||
// Display results
|
||||
echo "Original Data: $dataToEncrypt<br>";
|
||||
//echo "Encryption Key (in bin): " . $encryptionKey . "<br>";
|
||||
//echo "Encryption Key (in hex): " . bin2hex($encryptionKey) . "<br>";
|
||||
echo "Encrypted Data (in base64): " . $encrypted . "<br>";
|
||||
//echo "Encrypted Data (in bin): " . base64_decode($encrypted) . "<br>";
|
||||
//echo "Encrypted Data (in hex): " . bin2hex(base64_decode($encrypted)) . "<br>";
|
||||
echo "Decrypted Data: $decrypted<br>";
|
||||
|
||||
?>
|
||||
46
passman-dev/php/passman/test_hash.php
Normal file
46
passman-dev/php/passman/test_hash.php
Normal file
@ -0,0 +1,46 @@
|
||||
<?php
|
||||
// Simple example of hashing password
|
||||
|
||||
$username = "user123";
|
||||
$password = "securepassword";
|
||||
|
||||
// Compute salt as the hash of the username
|
||||
$salt = hash('sha256', $username);
|
||||
|
||||
// Get a salted password by combining salt and password
|
||||
$saltedPwd = $salt . $password;
|
||||
|
||||
// Hash the salted password using SHA-256
|
||||
$hashedPwd = hash('sha256', $saltedPwd);
|
||||
|
||||
// Display variables
|
||||
echo "Username: $username<br>";
|
||||
echo "Password: $password<br>";
|
||||
|
||||
echo "Salt (computed as the username's hash): $salt<br>";
|
||||
echo "Salted password: $saltedPwd<br>";
|
||||
echo "Hash of salted password: $hashedPwd<br>";
|
||||
echo "<p>";
|
||||
|
||||
|
||||
// Same as above but using a function
|
||||
|
||||
function getPasswordHash_Hex($username, $password) {
|
||||
// Compute hash of salted-password (and salt) from username and password (in hex format)
|
||||
$salt = hash('sha256', $username); // Compute salt as the hash of the username
|
||||
$saltedPwd = $salt . $password; // Get a salted password by combining salt and password
|
||||
$hashedPwd = hash('sha256', $saltedPwd); // Hash the salted password using SHA-256
|
||||
// Return the password hash and the salt
|
||||
return [
|
||||
'hash' => $hashedPwd,
|
||||
'salt' => $salt
|
||||
];
|
||||
}
|
||||
|
||||
// Example usage of function getPasswordHash
|
||||
$getHasedPwd = getPasswordHash_Hex($username, $password);
|
||||
// Display results
|
||||
echo "Salt (in hex) computed using function getPasswordHash_Hex: " . $getHasedPwd['salt'] . "<br>";
|
||||
echo "Hash (in hex) computed using function getPasswordHash_Hex: " . $getHasedPwd['hash'] . "<br>";
|
||||
|
||||
?>
|
||||
Loading…
x
Reference in New Issue
Block a user