dannyb785 Posted July 17, 2008 Share Posted July 17, 2008 Ok, so maybe not hack... but tell me what vulnerabilities there are. This is a client's website and it is entirely database driven so I would say it's successful if a visitor wouldn't have any way of modifying anything from the database. http://www.xausf.com Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/ Share on other sites More sharing options...
proggR Posted July 17, 2008 Share Posted July 17, 2008 Not a hack or anything but your contact and calender hover over icons seem to be missing. When I hover over them the button just disappears and shows the background. Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592700 Share on other sites More sharing options...
dannyb785 Posted July 17, 2008 Author Share Posted July 17, 2008 It's the way the template is setup. It's a separate image, so you need to hover for about 2 seconds. I need a way to preload the hover images so that this doesn't happen. I havent tried anything yet, but I think maybe just loading them and giving them a position of like position:absolute; top: -1000px. You think that'd do it? Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592702 Share on other sites More sharing options...
proggR Posted July 17, 2008 Share Posted July 17, 2008 I'm not sure. I never really played around a lot with switching images when hovering, just backgrounds and text colors and what not. Throw templates in there and I'm twice as lost lol. You're right though, they're there now. Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592708 Share on other sites More sharing options...
BillyBoB Posted July 17, 2008 Share Posted July 17, 2008 You should learn to read what forums are what. This should be in testing not in critiquing. You don't want people trying to hack your site... It's just going to get defaced like that.... Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592735 Share on other sites More sharing options...
dannyb785 Posted July 17, 2008 Author Share Posted July 17, 2008 You should learn to read what forums are what. This should be in testing not in critiquing. You don't want people trying to hack your site... It's just going to get defaced like that.... Beta Test Your Stuff! Post a link to your work with inputs and expected outputs for people to test. A mod can move it if it's a problem. Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592738 Share on other sites More sharing options...
coolpro Posted July 20, 2008 Share Posted July 20, 2008 I don't like that kind of website designs Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-594710 Share on other sites More sharing options...
unsider Posted July 20, 2008 Share Posted July 20, 2008 I don't like that kind of website designs I'm curious...why? I personally love how grainy it looks, specifically the footer is very impressive. Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-594713 Share on other sites More sharing options...
dannyb785 Posted July 20, 2008 Author Share Posted July 20, 2008 I don't like that kind of website designs I know what you're saying. It has its place on some pages, depending on the company's theme. This one is a college group and the director told me he wanted something 'rough-around-the-edges'. Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-594825 Share on other sites More sharing options...
darkfreaks Posted July 21, 2008 Share Posted July 21, 2008 Vulnerability description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. This vulnerability affects /search.php. The impact of this vulnerability Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Attack details The GET variable s has been set to <script>alert(39666.8468413889)</script>. How to fix this vulnerability Your script should filter metacharacters from user input. trim() and strip_tags() Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595093 Share on other sites More sharing options...
darkfreaks Posted July 21, 2008 Share Posted July 21, 2008 Vulnerability description This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. This vulnerability affects /search.php. The impact of this vulnerability Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Affected File: calendar.php How to fix this vulnerability Your script should filter metacharacters from user input. trim() and strip_tags() Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595108 Share on other sites More sharing options...
darkfreaks Posted July 21, 2008 Share Posted July 21, 2008 File Input Accepted The impact of this vulnerability User may upload malicious files to server. How to fix this vulnerability Check if the script inputs are properly validated from uploading .exe/.js and .php extensions Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595185 Share on other sites More sharing options...
Third_Degree Posted July 21, 2008 Share Posted July 21, 2008 Basic Stuff "Warning: do not refresh this page as it will resubmit the information" You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page. Not Basic Stuff XSS! http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E Pretty Dangerous... Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595252 Share on other sites More sharing options...
darkfreaks Posted July 21, 2008 Share Posted July 21, 2008 my scanner didnt catch that then again it froze halfway through the scan ROFL. anyhow you should filter out the email page as suggested above Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595662 Share on other sites More sharing options...
dannyb785 Posted July 21, 2008 Author Share Posted July 21, 2008 Basic Stuff "Warning: do not refresh this page as it will resubmit the information" You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page. Not Basic Stuff XSS! http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E Pretty Dangerous... would adding htmlentities help this problem? I'm scared to run the script to see what it does! Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595760 Share on other sites More sharing options...
phpSensei Posted July 21, 2008 Share Posted July 21, 2008 Basic Stuff "Warning: do not refresh this page as it will resubmit the information" You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page. Not Basic Stuff XSS! http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E Pretty Dangerous... would adding htmlentities help this problem? I'm scared to run the script to see what it does! He is just taking keys like H A C and K, and alerting them on the screen. alert('h'); alert('a'); alert('c'); alert('k'); This isn't a hack, just to test if its XSS proof, which it obviously isnt. Use stip_tags, or htmlentities(); Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595815 Share on other sites More sharing options...
dannyb785 Posted July 21, 2008 Author Share Posted July 21, 2008 He is just taking keys like H A C and K, and alerting them on the screen. alert('h'); alert('a'); alert('c'); alert('k'); This isn't a hack, just to test if its XSS proof, which it obviously isnt. Use stip_tags, or htmlentities(); Would just htmlentities do the job? I read somewhere that strip_tags doesnt completely remove all possible malicious input Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595859 Share on other sites More sharing options...
darkfreaks Posted July 21, 2008 Share Posted July 21, 2008 thats bullshit it removes all javascript and PHP input *laughs* Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595879 Share on other sites More sharing options...
phpSensei Posted July 22, 2008 Share Posted July 22, 2008 Where did you hear that from? I honestly think some people are too paranoid... Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596162 Share on other sites More sharing options...
Third_Degree Posted July 22, 2008 Share Posted July 22, 2008 strip_tags limits user functionality... Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596231 Share on other sites More sharing options...
darkfreaks Posted July 22, 2008 Share Posted July 22, 2008 are you talking about html third_degree? no it doesnt strip_tags($variable,'allowed html tags here') Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596533 Share on other sites More sharing options...
waynew Posted July 22, 2008 Share Posted July 22, 2008 I prefer to use both. But I'm a paranoid wreck like that. Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596605 Share on other sites More sharing options...
darkfreaks Posted July 22, 2008 Share Posted July 22, 2008 both will do the trick Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596634 Share on other sites More sharing options...
dannyb785 Posted July 22, 2008 Author Share Posted July 22, 2008 Ok so I got that done... awesome... not what would be the best way to prevent a visitor from submitting the form a million times, whether by clicking refresh or with a script. Thru sessions? or something else Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596851 Share on other sites More sharing options...
darkfreaks Posted July 22, 2008 Share Posted July 22, 2008 Preventing PHPSESSID Attacks make a .htacess file in the root directory of the script with the following code in it: php_flag session.use_trans_sid off php_flag session.use_only_cookies on in your php config file put Code: <?php ini_set('session.use_trans_sid', 0); ini_set('session.use_only_cookies', 1);?> Link to comment https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596919 Share on other sites More sharing options...
Recommended Posts