Jump to content

Hack my site(or try)!

dannyb785

By dannyb785
in Beta Test Your Stuff!

 Share

Recommended Posts

  • Replies 64
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

dannyb785 Member

dannyb785

Posted
  • Author
Posted

It's the way the template is setup. It's a separate image, so you need to hover for about 2 seconds. I need a way to preload the hover images so that this doesn't happen. I havent tried anything yet, but I think maybe just loading them and giving them a position of like position:absolute; top: -1000px. You think that'd do it?

Link to comment
Share on other sites
proggR Advanced Member

proggR

Posted
Posted

I'm not sure. I never really played around a lot with switching images when hovering, just backgrounds and text colors and what not. Throw templates in there and I'm twice as lost lol. You're right though, they're there now.

Link to comment
Share on other sites
dannyb785 Member

dannyb785

Posted
  • Author
Posted

 

 

You should learn to read what forums are what. This should be in testing not in critiquing. You don't want people trying to hack your site... It's just going to get defaced like that....

 

Beta Test Your Stuff!

Post a link to your work with inputs and expected outputs for people to test.

 

A mod can move it if it's a problem.

Link to comment
Share on other sites
dannyb785 Member

dannyb785

Posted
  • Author
Posted

I don't like that kind of website designs

 

I know what you're saying. It has its place on some pages, depending on the company's theme. This one is a college group and the director told me he wanted something 'rough-around-the-edges'.

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /search.php.

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

Attack details

The GET variable s has been set to <script>alert(39666.8468413889)</script>.

 

How to fix this vulnerability

Your script should filter metacharacters from user input. trim() and strip_tags()

 

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /search.php.

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Affected File: calendar.php

 

How to fix this vulnerability

Your script should filter metacharacters from user input. trim() and strip_tags()

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

File Input Accepted

 

 

The impact of this vulnerability

User may upload malicious files to server.

How to fix this vulnerability

Check if the script inputs are properly validated from uploading .exe/.js and .php extensions

Link to comment
Share on other sites
Third_Degree Newbie

Third_Degree

Posted
Posted

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS! :o

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

Link to comment
Share on other sites
dannyb785 Member

dannyb785

Posted
  • Author
Posted

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS! :o

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

 

would adding htmlentities help this problem? I'm scared to run the script to see what it does!

Link to comment
Share on other sites
phpSensei Advanced Member

phpSensei

Posted
Posted

Basic Stuff

 

"Warning: do not refresh this page as it will resubmit the information"

 

You should probably make the email form a little less vulnerable to spamming. Right now I'm too lazy and I don't dislike you or anything, so I didn't write a script to continually bomb this page.

 

Not Basic Stuff

XSS! :o

http://www.xausf.com/search.php?s=%3Cscript%3Ealert(String.fromCharCode(72));alert(String.fromCharCode(65));alert(String.fromCharCode(67));alert(String.fromCharCode(75))%3C/script%3E

 

Pretty Dangerous...

 

 

 

would adding htmlentities help this problem? I'm scared to run the script to see what it does!

 

He is just taking keys like H A C and K, and alerting them on the screen.

 

alert('h');

alert('a');

alert('c');

alert('k');

 

This isn't a hack, just to test if its XSS proof, which it obviously isnt.

 

Use stip_tags, or htmlentities();

Link to comment
Share on other sites
dannyb785 Member

dannyb785

Posted
  • Author
Posted

 

He is just taking keys like H A C and K, and alerting them on the screen.

 

alert('h');

alert('a');

alert('c');

alert('k');

 

This isn't a hack, just to test if its XSS proof, which it obviously isnt.

 

Use stip_tags, or htmlentities();

 

Would just htmlentities do the job? I read somewhere that strip_tags doesnt completely remove all possible malicious input

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

Preventing PHPSESSID Attacks

make a .htacess file in the root directory of the script with the following code in it:

php_flag session.use_trans_sid off

 

php_flag session.use_only_cookies on

 

 

 

in your php config file put

Code:

<?php
ini_set('session.use_trans_sid', 0);

ini_set('session.use_only_cookies', 1);?>

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.