Jump to content

Recommended Posts

Hi Folks,

 

http://www.helraizer.co.uk/comments/

 

In order to post a comment on my site you need to insert part of a captcha code, as to which characters, who knows? :P Sometimes though, it seems to be intermittent.  Could you guys please test it for whether it works, and also whether it can be exploited?

 

Thanks,

 

Sam

Link to comment
https://forums.phpfreaks.com/topic/81421-test-my-captcha-please/
Share on other sites

You really should sanitize your input.. if i was mean enough, I would delete your entire site and take over your domain right now... :)

 

How would you manage that, though? HTML inject won't work because I don't use GET; XSS won't work because the user, email and comment fields are sanatised and the captcha input doesn't appear on the page it directs to. It is only used to verify the post and session,  if the value in the captcha field isn't that of what is needed from the captcha image the page is redirected to the index page (the form) and everything is blank once again. If it is correct the comment is posted and then the page shown; the session is unset.

 

So how would it be possible to 'delete my entire site'?

 

Sam

Interesting idea for a captcha, but I find some of the images way too dark, making it impossible to view the characters. Also, on a couple of the images, the 6th character was half run off the edge, making it difficult to figure out. A really nice feature on some captchas is the "click here to get a new image" - that would be very helpfull on some of your darker ones.

 

I didnt test for security, as I prefer to leave that to the master - Agent Steel.

You really should sanitize your input.. if i was mean enough, I would delete your entire site and take over your domain right now... :)

 

How would you manage that, though? HTML inject won't work because I don't use GET; XSS won't work because the user, email and comment fields are sanatised and the captcha input doesn't appear on the page it directs to. It is only used to verify the post and session,  if the value in the captcha field isn't that of what is needed from the captcha image the page is redirected to the index page (the form) and everything is blank once again. If it is correct the comment is posted and then the page shown; the session is unset.

 

So how would it be possible to 'delete my entire site'?

 

Sam

 

I was able to use sql injection and delete your database info.. but I didn't.. It was in the "message" field

 

and btw, i like the idea of the captcha system, but it would certainly get annoying counting the "3rd, 6th" letters etc... maybe make them stand out a little bit more? OR, have 3 of the 12 letters bold and have the user identify (in order) which ones are bold :)

and btw, i like the idea of the captcha system, but it would certainly get annoying counting the "3rd, 6th" letters etc... maybe make them stand out a little bit more? OR, have 3 of the 12 letters bold and have the user identify (in order) which ones are bold :)

 

Yeah, I can see what you mean. I will get working on something. =) Could be a challenge though, since which characters are required eachtime is completely random.. but I can try and work something out.

 

 

I was able to use sql injection and delete your database info.. but I didn't.. It was in the "message" field

 

I don't see how you could have tested it though.. because if you just wrote it in the field it's just a string of characters.. it would only work if you submitted it, but you just said you didn't. All three fields are used with mysql_real_escape_string; I will add even more security just to make sure.

 

Sam

Added security for that.

 

There is a filter now on the words: Select, Drop, Alter, Delete, Where, Top, Disinct, From, Insert, Values, Create, Join, Table, *, Order By, ASC, DESC, Update and Group By.

 

If they appear (case insensitive) in the message field an error message appears and the comment isn't added to the database. Just to foil Wes90 and his injection. ;):P

Ah crap, typing this for the second time.

Worked fine for me, alough a bit tedious to find out what you were actually wanting on the captch. A bit longwinded maybee!

Good example though yet I am sure a more human readable one would do just fine. Captchas do not have to be code's, if you wanted you could make a basic maths one much like the one I use, and ask the user for an result of the calculation.

I received no error messages when it failed mind. Using opera Version 9.24. I tried a javascript injection and failed, and the feild was too small to enter an base64 url!

 

Seems good, the captcha works if I proveded nothing else!

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.