How to connect to server with website's database, more secure using GET

Question

I have a java server, I want to connect to my server using my forum's user details.

But there is a problem.

I am using Xenforo, and I can't really know xenforo's algorithm. Yes I figured out, it's

public static String encryptPassword(String password) {
 return sha1(sha1(password)+theSalt);
}

The salt is $salt in xenforo, but I have checked, Xenforo generates a NEW salt for each user.. which makes it even more diffcult to do server sided & I can't really find how it generates it, how it encrypting the passwords, how it finds out the encryiption, xenforo has over 70 classes if im not wrong.

Sha1(sha1 $password is right, the salt is wrong.

I gave up on it, and made a php file that will check if the login details are correct web-sided (Using Xenforo's functions).

<?php
$startTime = microtime(true);
//FULL PATH.
require('/var/www/mydir/forums/library/XenForo/Autoloader.php');
XenForo_Autoloader::getInstance()->setupAutoloader('/var/www/mydir/forums/library');

XenForo_Application::initialize('/var/www/mydir/forums/library');
XenForo_Application::set('page_start_time', $startTime);

//Crypt code you set for your login, if you dont have it, then just comment $crypt out, but this is VERY useful agaisnt brute forces.
$crypt = $_POST['crypt'];

if (isset($_POST['username']) && isset($_POST['password']) && $crypt === 911895326) {

    //Username you're posting from server.
    $username = $_POST['username'];
    //Password you're posting from server.
    $password = $_POST['password'];

    $db = XenForo_Application::getDb();

    $data = $db->fetchOne('
    SELECT
    auth.data
    FROM xf_user_authenticate AS auth
    INNER JOIN xf_user AS user ON
    (user.user_id = auth.user_id)
    WHERE user.username = ?
    ', $username);

    //Gets the auth from Xenforo classes
    $auth = XenForo_Authentication_Abstract::createDefault();

    $auth->setData($data);

    //Checks if equal through the hash
    $check = $auth->authenticate($username, $password);

    //dump for testing (true/false)
    Zend_Debug::dump($check);

    /* CHECKING METHOD */ 

        //Checks if login details are equal to the ones that are in the database.
        if ($check) {
            //Prints "Success" string, so you can check in java if the printed string is that, if yes, then create login.
            echo 'Success';
        } else {
            echo 'Failed';
        }
    }

?>

The java server will send something like this over GET method:

http://yourwebsite.com/password.php?crypt=123456789&username=jony&password=1234567

And then the PHP will check if the crypt is correct, the user is matching, and if the password matching.

If details are correct, system will print 'true'. And from the java server I can check if theres a string named 'true' on that page. If yes, create login, if not, give error.

Some people told me that this is EXTREMELY insecure, you can fetch the URL using wireshark program and then brute force the passwords using that url.

Is this true? Is that method is insecure?

Are there any other options besides that, or directly matching password from database? Or any improvements on this method? :

public class letLogin {

    private static final string CRYPTION_ID = 'faCuGujuF32XaNeWr3t7';
    private static final String WEBSITE_DOMAIN = "http://yourwebsite.com/";

    public static int processUser(Client client){
        try {
            String URL = WEBSITE_DOMAIN + "loginProtocol.php?crypt=" + CRYPTION_ID + "&name="+client.playerName.toLowerCase().replace(" ","_")+"&pass="+client.playerPass;
            HttpURLConnection CONNECTION_HANDLE = (HttpURLConnection) new URL(URL).openConnection();
            BufferedReader OUTPUT_HANDLE = new BufferedReader(new InputStreamReader(CONNECTION_HANDLE.getInputStream()));
            String OUTPUT_DATA = OUTPUT_HANDLE.readLine().trim();
            try {
                if (!OUTPUT_DATA.contains("success"))
                    return 3;

            } catch(Exception e){
                System.out.println("Web server not responding for query: " +OUTPUT_DATA);
                return 8;               
            }
        } catch(Exception e2){ }
        return 2;
    }
}

Thanks!

Answer 1

This method is incredibly insecure. However, if you change your URL to use https instead, it will be secure and you can send the password over plain text like that.

https://yourwebsite.com/password.php?crypt=123456789&username=jony&password=1234567

If you keep it how it is and send it without SSL (over http), when someone uses wireshark, they won't even have to brute force the password. It will just be visible to them.

HTTPS is secure, sources:

• https://stackoverflow.com/a/962194/809278
• https://stackoverflow.com/a/1582986/809278
• https://security.stackexchange.com/a/7058

You also need to change $_POST to $_GET on the server side code.

Answer 2

First of all, you wont get the variables as you pass those in GET but you get them in POST. It is insecure if using GET, I don't need to use wireshark, i can know your password by only viewing your browser history.... I don't know XenForo, but my preference is: sha1 the original password-> Post username and the encrypt pwd -> check the hash with that pwd and the one in db