Jump to content

Recommended Posts

  • Replies 64
  • Created
  • Last Reply

Top Posters In This Topic

It's the way the template is setup. It's a separate image, so you need to hover for about 2 seconds. I need a way to preload the hover images so that this doesn't happen. I havent tried anything yet, but I think maybe just loading them and giving them a position of like position:absolute; top: -1000px. You think that'd do it?

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592702
Share on other sites

 

 

You should learn to read what forums are what. This should be in testing not in critiquing. You don't want people trying to hack your site... It's just going to get defaced like that....

 

Beta Test Your Stuff!

Post a link to your work with inputs and expected outputs for people to test.

 

A mod can move it if it's a problem.

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-592738
Share on other sites

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /search.php.

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

Attack details

The GET variable s has been set to <script>alert(39666.8468413889)</script>.

 

How to fix this vulnerability

Your script should filter metacharacters from user input. trim() and strip_tags()

 

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595093
Share on other sites

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /search.php.

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Affected File: calendar.php

 

How to fix this vulnerability

Your script should filter metacharacters from user input. trim() and strip_tags()

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595108
Share on other sites

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS! :o

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595252
Share on other sites

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS! :o

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

 

would adding htmlentities help this problem? I'm scared to run the script to see what it does!

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595760
Share on other sites

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS! :o

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

 

would adding htmlentities help this problem? I'm scared to run the script to see what it does!

 

He is just taking keys like H A C and K, and alerting them on the screen.

 

alert('h');

alert('a');

alert('c');

alert('k');

 

This isn't a hack, just to test if its XSS proof, which it obviously isnt.

 

Use stip_tags, or htmlentities();

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595815
Share on other sites

 

He is just taking keys like H A C and K, and alerting them on the screen.

 

alert('h');

alert('a');

alert('c');

alert('k');

 

This isn't a hack, just to test if its XSS proof, which it obviously isnt.

 

Use stip_tags, or htmlentities();

 

Would just htmlentities do the job? I read somewhere that strip_tags doesnt completely remove all possible malicious input

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-595859
Share on other sites

Preventing PHPSESSID Attacks

make a .htacess file in the root directory of the script with the following code in it:

php_flag session.use_trans_sid off

 

php_flag session.use_only_cookies on

 

 

 

in your php config file put

Code:

<?php
ini_set('session.use_trans_sid', 0);

ini_set('session.use_only_cookies', 1);?>

Link to comment
https://forums.phpfreaks.com/topic/115282-hack-my-siteor-try/#findComment-596919
Share on other sites


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.