Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

net-trace/http-trace-script.js@30:6a08abbe6301, 2019-01-17 (annotated)

Committer:
andrewboyson
Date:
Thu Jan 17 13:07:53 2019 +0000
Revision:
30:6a08abbe6301
Parent:
http-trace-script.js@14:c3c43c8faf0e
Child:
46:1822fdbe6c0c
Tidied up the base and derived portions

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 14:c3c43c8faf0e 1 'use strict';
andrewboyson 14:c3c43c8faf0e 2 var response = '';
andrewboyson 14:c3c43c8faf0e 3 var headers = '';
andrewboyson 14:c3c43c8faf0e 4 var ajax;
andrewboyson 14:c3c43c8faf0e 5
andrewboyson 14:c3c43c8faf0e 6 function AjaxRequest(request)
andrewboyson 14:c3c43c8faf0e 7 {
andrewboyson 14:c3c43c8faf0e 8 ajax=new XMLHttpRequest();
andrewboyson 14:c3c43c8faf0e 9 ajax.onreadystatechange=handleAjaxResponse;
andrewboyson 14:c3c43c8faf0e 10 if (request) ajax.open('GET', '/ajax-trace' + '?' + request, true);
andrewboyson 14:c3c43c8faf0e 11 else ajax.open('GET', '/ajax-trace' , true);
andrewboyson 14:c3c43c8faf0e 12 ajax.send();
andrewboyson 14:c3c43c8faf0e 13 }
andrewboyson 14:c3c43c8faf0e 14 function requestAjax()
andrewboyson 14:c3c43c8faf0e 15 {
andrewboyson 14:c3c43c8faf0e 16 AjaxRequest('');
andrewboyson 14:c3c43c8faf0e 17 }
andrewboyson 14:c3c43c8faf0e 18
andrewboyson 14:c3c43c8faf0e 19 function handleAjaxResponse()
andrewboyson 14:c3c43c8faf0e 20 {
andrewboyson 14:c3c43c8faf0e 21 if (ajax.readyState==4 && ajax.status==200)
andrewboyson 14:c3c43c8faf0e 22 {
andrewboyson 14:c3c43c8faf0e 23 response = ajax.responseText;
andrewboyson 14:c3c43c8faf0e 24 headers = ajax.getAllResponseHeaders();
andrewboyson 14:c3c43c8faf0e 25 display();
andrewboyson 14:c3c43c8faf0e 26 }
andrewboyson 14:c3c43c8faf0e 27 }
andrewboyson 14:c3c43c8faf0e 28
andrewboyson 14:c3c43c8faf0e 29 function DS18B20ToString(index)
andrewboyson 14:c3c43c8faf0e 30 {
andrewboyson 14:c3c43c8faf0e 31 var text = response.substr(index, 4);
andrewboyson 14:c3c43c8faf0e 32 switch (text)
andrewboyson 14:c3c43c8faf0e 33 {
andrewboyson 14:c3c43c8faf0e 34 case '7FFF': return 'CRC error' ;
andrewboyson 14:c3c43c8faf0e 35 case '7FFE': return 'ROM not found' ;
andrewboyson 14:c3c43c8faf0e 36 case '7FFD': return 'Timed out' ;
andrewboyson 14:c3c43c8faf0e 37 case '7FFC': return 'No device detected after reset';
andrewboyson 14:c3c43c8faf0e 38 case '7FFB': return 'Device removed during search' ;
andrewboyson 14:c3c43c8faf0e 39 }
andrewboyson 14:c3c43c8faf0e 40 var isNegative = false;
andrewboyson 14:c3c43c8faf0e 41 switch(text.charAt(0))
andrewboyson 14:c3c43c8faf0e 42 {
andrewboyson 14:c3c43c8faf0e 43 case '8': text = '7' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 44 case '9': text = '6' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 45 case 'A': text = '5' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 46 case 'B': text = '4' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 47 case 'C': text = '3' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 48 case 'D': text = '2' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 49 case 'E': text = '1' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 50 case 'F': text = '0' + text.substr(1, 3); isNegative = true; break;
andrewboyson 14:c3c43c8faf0e 51 }
andrewboyson 14:c3c43c8faf0e 52 var value = parseInt(text, 16) / 16.0;
andrewboyson 14:c3c43c8faf0e 53 if (isNegative) value = -value;
andrewboyson 14:c3c43c8faf0e 54 return value.toFixed(1);
andrewboyson 14:c3c43c8faf0e 55 }
andrewboyson 14:c3c43c8faf0e 56
andrewboyson 14:c3c43c8faf0e 57 function hexToBit(iChar, iBit)
andrewboyson 14:c3c43c8faf0e 58 {
andrewboyson 14:c3c43c8faf0e 59 var value = parseInt(response.charAt(iChar), 16);
andrewboyson 14:c3c43c8faf0e 60 value >>= iBit;
andrewboyson 14:c3c43c8faf0e 61 return value & 1;
andrewboyson 14:c3c43c8faf0e 62 }
andrewboyson 14:c3c43c8faf0e 63 function display()
andrewboyson 14:c3c43c8faf0e 64 {
andrewboyson 14:c3c43c8faf0e 65 var elem;
andrewboyson 14:c3c43c8faf0e 66 elem = document.getElementById('ajax-log-uart' ); if (elem) elem.setAttribute('dir', hexToBit( 0, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 67 elem = document.getElementById('ajax-trace-dns-ip4' ); if (elem) elem.setAttribute('dir', hexToBit( 0, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 68 elem = document.getElementById('ajax-trace-ntp-ip4' ); if (elem) elem.setAttribute('dir', hexToBit( 0, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 69 elem = document.getElementById('ajax-trace-tftp-ip4' ); if (elem) elem.setAttribute('dir', hexToBit( 0, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 70 elem = document.getElementById('ajax-trace-net-host' ); if (elem) elem.value = response.substr( 1, 4);
andrewboyson 14:c3c43c8faf0e 71 elem = document.getElementById('ajax-trace-net-stack' ); if (elem) elem.setAttribute('dir', hexToBit( 5, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 72 elem = document.getElementById('ajax-trace-net-newline' ); if (elem) elem.setAttribute('dir', hexToBit( 5, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 73 elem = document.getElementById('ajax-trace-net-verbose' ); if (elem) elem.setAttribute('dir', hexToBit( 5, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 74 elem = document.getElementById('ajax-trace-link' ); if (elem) elem.setAttribute('dir', hexToBit( 5, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 75 elem = document.getElementById('ajax-trace-dns-name' ); if (elem) elem.setAttribute('dir', hexToBit( 6, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 76 elem = document.getElementById('ajax-trace-dns-query' ); if (elem) elem.setAttribute('dir', hexToBit( 6, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 77 elem = document.getElementById('ajax-trace-dns-reply' ); if (elem) elem.setAttribute('dir', hexToBit( 6, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 78 elem = document.getElementById('ajax-trace-dns-server' ); if (elem) elem.setAttribute('dir', hexToBit( 6, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 79 elem = document.getElementById('ajax-trace-ntp' ); if (elem) elem.setAttribute('dir', hexToBit( 7, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 80 elem = document.getElementById('ajax-trace-dhcp' ); if (elem) elem.setAttribute('dir', hexToBit( 7, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 81 elem = document.getElementById('ajax-trace-ns-recv-sol' ); if (elem) elem.setAttribute('dir', hexToBit( 7, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 82 elem = document.getElementById('ajax-trace-ns-recv-adv' ); if (elem) elem.setAttribute('dir', hexToBit( 7, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 83 elem = document.getElementById('ajax-trace-ns-send-sol' ); if (elem) elem.setAttribute('dir', hexToBit( 8, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 84 elem = document.getElementById('ajax-trace-nr4' ); if (elem) elem.setAttribute('dir', hexToBit( 8, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 85 elem = document.getElementById('ajax-trace-nr6' ); if (elem) elem.setAttribute('dir', hexToBit( 8, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 86 elem = document.getElementById('ajax-trace-ntp-client' ); if (elem) elem.setAttribute('dir', hexToBit( 8, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 87 elem = document.getElementById('ajax-trace-echo4' ); if (elem) elem.setAttribute('dir', hexToBit( 9, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 88 elem = document.getElementById('ajax-trace-echo6' ); if (elem) elem.setAttribute('dir', hexToBit( 9, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 89 elem = document.getElementById('ajax-trace-dest6' ); if (elem) elem.setAttribute('dir', hexToBit(10, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 90 elem = document.getElementById('ajax-trace-ra' ); if (elem) elem.setAttribute('dir', hexToBit(10, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 91 elem = document.getElementById('ajax-trace-rs' ); if (elem) elem.setAttribute('dir', hexToBit(10, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 92 elem = document.getElementById('ajax-trace-ar4' ); if (elem) elem.setAttribute('dir', hexToBit(10, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 93 elem = document.getElementById('ajax-trace-ar6' ); if (elem) elem.setAttribute('dir', hexToBit(11, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 94 elem = document.getElementById('ajax-trace-arp' ); if (elem) elem.setAttribute('dir', hexToBit(11, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 95 elem = document.getElementById('ajax-trace-ip4' ); if (elem) elem.setAttribute('dir', hexToBit(11, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 96 elem = document.getElementById('ajax-trace-ip6' ); if (elem) elem.setAttribute('dir', hexToBit(11, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 97 elem = document.getElementById('ajax-trace-udp' ); if (elem) elem.setAttribute('dir', hexToBit(12, 0) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 98 elem = document.getElementById('ajax-trace-tcp' ); if (elem) elem.setAttribute('dir', hexToBit(12, 1) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 99 elem = document.getElementById('ajax-trace-http' ); if (elem) elem.setAttribute('dir', hexToBit(12, 2) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 100 elem = document.getElementById('ajax-trace-tftp' ); if (elem) elem.setAttribute('dir', hexToBit(12, 3) ? 'rtl' : 'ltr');
andrewboyson 14:c3c43c8faf0e 101 elem = document.getElementById('ajax-response-html' ); if (elem) elem.innerHTML = response;
andrewboyson 14:c3c43c8faf0e 102 elem = document.getElementById('ajax-headers-html' ); if (elem) elem.innerHTML = headers;
andrewboyson 14:c3c43c8faf0e 103 elem = document.getElementById('ajax-date-html');
andrewboyson 14:c3c43c8faf0e 104 if (elem)
andrewboyson 14:c3c43c8faf0e 105 {
andrewboyson 14:c3c43c8faf0e 106 var iDateStart = headers.indexOf('Date:');
andrewboyson 14:c3c43c8faf0e 107 var iDateEnd = headers.indexOf('\r', iDateStart);
andrewboyson 14:c3c43c8faf0e 108 var date = new Date(headers.slice(iDateStart + 5, iDateEnd));
andrewboyson 14:c3c43c8faf0e 109 elem.innerHTML = date.toLocaleString(undefined, { weekday: 'short', day: '2-digit', month: 'short', year: 'numeric', hour: '2-digit', minute: '2-digit', timeZoneName: 'short' });
andrewboyson 14:c3c43c8faf0e 110 }
andrewboyson 14:c3c43c8faf0e 111
andrewboyson 14:c3c43c8faf0e 112 }
andrewboyson 14:c3c43c8faf0e 113
andrewboyson 14:c3c43c8faf0e 114 setInterval(requestAjax, 10000);
andrewboyson 14:c3c43c8faf0e 115 document.addEventListener('DOMContentLoaded', requestAjax);