Jump to content

Test My Website Builder For Vulnrabilities


deathadder

Recommended Posts

hi, i am working on a website builder project and i was wondering if you guys could test it for vulnrabilities

 

i am fairly new to php, but as far as i can see the code is valid, and secure, i have only added basic sql injection protection so hope you can help

 

proof i own the website: http://generalprogramming.org/freak.txt

 

http://generalprogramming.org is website

Link to comment
Share on other sites

You can't edit/delete pages with special characters. I'd save the pages as IDs instead of names. EX: http://generalprogra...trol.php?edit=1

 

cvc.png

 

ok thans for this, will fix it now, although there is no logical explanation to sava page as that

 

not to mention when you visit thewebsite it uses the $_GET method, i could fix it by using ids onthat too, but then the user on the website would have mor difficulty identifing the page

Edited by deathadder
Link to comment
Share on other sites

ok thans for this, will fix it now, although there is no logical explanation to sava page as that

 

Vulnerability testing is all about doing the illogical. The things the programmer probably never thought of and did not test for. That is where a hacker is going to find their way into your systems and wreak havoc. That's one of the mindsets you need to get into while programming and testing. As well as the mindset of a clueless user and the mindset of a cat walking across the keyboard (as in make sure a 2k-char-long string of "ap]342]345o325t\34r5q324iour9ajr3]214r2it..." doesn't cause problems), to name a few.

 

 

Link to comment
Share on other sites

Vulnerability testing is all about doing the illogical. The things the programmer probably never thought of and did not test for. That is where a hacker is going to find their way into your systems and wreak havoc. That's one of the mindsets you need to get into while programming and testing. As well as the mindset of a clueless user and the mindset of a cat walking across the keyboard (as in make sure a 2k-char-long string of "ap]342]345o325t\34r5q324iour9ajr3]214r2it..." doesn't cause problems), to name a few.

 

max username chars is 32, same with password, max page chars is 10,000 and page name around 100-300 cant remember

 

max username char is 32 same with pass max page char is 10,000 and page name 100 i thinkk

I hope that doesn't mean that you found there was a typo in the password because they are stored in your database table in plain text?

 

no, it means that i couldnt login to the testacc, so i remade it with a new password

Link to comment
Share on other sites

no, it means that i couldnt login to the testacc, so i remade it with a new password

 

Doesn't work again. Someone keeps entering ' as password, making it \' as the password. It seems you can not update the password as well as I tried to revert it back to "test"

Link to comment
Share on other sites

max username chars is 32, same with password, max page chars is 10,000 and page name around 100-300 cant remember

 

Your site appears to just silently truncate a username if it is over the max. You should show an error instead, otherwise users will think they registered using the name they entered and wonder why the login doesn't work later.

 

Having a maximum on password length is unnecessary. You should be hashing the passwords if you are not. If you are the hashing process should reduce them to a predictable length regardless of the original length of the password.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.