Security Test - American Gangsters

[DeanWhitehouse]

Please can anyone run some security tests on my site, i believe i have covered everything to protect it.

 

On the site the main things i want to be safe against are things like RFI, cross-server attack, sql attacks and in game exploits.

 

Any loop holes can be posted here, on the site, or PM(ed) to me on either site.

 

The site is

http://www.americangangsters.org/

 

Username: test

password: tester

 

Here is another thing to test

http://www.americangangsters.org/airport.php

Go there without logging in, and it redirects to the home page then back there when you log in, should i store the previous page in sessions?

 

Thanks,

Blade

 

[jackpf]

Problem registering, please try again later.

Hmm...

[DeanWhitehouse]

Hmm this is the third account so far to have problems registering, please don't try registration page just yet

[jackpf]

Okie dokie.

 

I ran XSS and SQL injection tests on the two pages I could access and they were both fine.

[DeanWhitehouse]

Ok should work fine now

[jackpf]

Seems ok. I do, however, only possess novice hacking skills

[darkfreaks]

Find.php:

Failures:12

Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

Tested value: 1 AND USER_NAME() = 'dbo'

Tested value: 1 AND 1=1

Tested value: 1 OR 1=1

 

 

cartheft.php:

Failures:16

Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

Tested value: 1' OR '1'='1

Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --

Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE

Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

Tested value: ' OR username IS NOT NULL OR username = '

Tested value: 1' AND non_existant_table = '1

Tested value: 1'1

Tested value: '; DESC users; --

Tested value: 1 AND USER_NAME() = 'dbo'

Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); --

[TheFilmGod]

Darkfreaks - how do you do that? Is it some FF plug-in?

[gffg4574fghsDSGDGKJYM]

Not sure what darkfreaks are using but they are some FF plugins for that

 

https://addons.mozilla.org/en-US/firefox/addon/7597

 

Or just search for hack, security or SQL there a lot of plugin.

[Maq]

Darkfreaks - how do you do that? Is it some FF plug-in?

 

Yes, it's called "SQL Inject Me".  I use it all the time, even though it catches trivial things that may or may not pose harm, it's a very good tool.

[darkfreaks]

yes sorry SQL inject me is the tool before some mod comes in here and bitches i didnt post the name of it

[Maq]

yes sorry SQL inject me is the tool before some mod comes in here and bitches i didnt post the name of it

 

I don't think any Moderator would bitch that you wouldn't post it, it's a pretty popular security plug-in anyway 

[Daniel0]

yes sorry SQL inject me is the tool before some mod comes in here and bitches i didnt post the name of it

 

You want a warning for trolling

[DeanWhitehouse]

Thanks, any advice on securing against them ?

[darkfreaks]

be sure to use plenty of sanitization like strip_tags(),mysql_real_escape_string(),htmlspecialchars(),filter_var(),trim(),stripslashes()

[DeanWhitehouse]

Ok, even using all of them the find user page still has vulnerabilitys

 

Any ideas?

 

Although they don't even do anything xD

[DeanWhitehouse]

I can't understand whats causing the 403 error though

[jackpf]

Your server probably has software installed to help protect you against sql injection. With an attempt, it'll serve a 403 page and probably temp ban the IP or something.

[DeanWhitehouse]

hmm ok, good good

 

One last thing, unless there are more vulnerabilities

 

will my function stop or cause a problem to my data, if used to sanitise queries

 

	function QuerySecure($query)
{
	$query = strip_tags($query);
	$query = htmlspecialchars($query);
	$query = filter_var($query);
	$query = trim($query);
	$query = stripslashes($query);
	$query = mysql_real_escape_string($query);
	return $query;
}

[Daniel0]

Please read the individual manual pages for the functions to see what they do...

[darkfreaks]

Try:

<?php
function QuerySecure($query)
{
	$query = strip_tags($query);
	$query = htmlspecialchars($query);
                          //works only in php5 strips unwanted injection
	$query = filter_var($query,FILTER_SANITIZE_STRING);
                          /////////////////
	$query = trim($query);
	$query = stripslashes($query);
	$query = mysql_real_escape_string($query);
	return $query;
}
?>

 

also as suggested read up on the functions to see what they do and see if you need them or not

[DeanWhitehouse]

Thanks, so as far as i can tell there are no security issues

[Daniel0]

Sorry, my last post was meant to say that your function sucks, and that reading the relevant manual pages should make it clear why...

[DeanWhitehouse]

Wow, daniel you might want to work on your idea of helping a bit

[Daniel0]

Okay then, if you're too don't want to check for yourself.

 

strip_tags removes HTML tags from a string.

htmlentities converts characters to their respective HTML entities (e.g. © -> ©)

filter_var with FILTER_SANITIZE_STRING removes HTML tags plus some extra optional stuff. This has already been done.

trim removes whitespace from both ends. That's fine.

stripslashes strips slashes. How do you know that's needed?

mysql_real_escape_string escapes things for MySQL queries. This is the only thing you needed here.

 

You shouldn't escape things like HTML entities before inserting it into the database, but rather do it before you output it. You should store the raw data in the database.

 

Better yet, just use prepared statements and your strings will automatically be sanitized.

 

darkfreaks just listed a lot of functions for sanitation, most of which were irrelevant to that problem, and you just slammed all of them in one big function.