#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171

    Try SQL injection, xss and crsf to this web page.


    How do you rate security out of 10?

    Looks like the only way for me to learn this is to get attacked so I see what really goes on.

    This is a page I made on a dead domain name of mine I use to test things. It is connected to database, stores and prints your entry. I have tried to make it secure against attacks.

    Please let me know if you can easily cause me trouble. If you see any obvious weakness please mention.

    Thank you

    PHP Code:
    <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

    class 
    Welcome extends CI_Controller {

        

        protected 
    $posted_data = array();
        
        
        public function 
    index()
            {
                
    $data['success']='';
                
    $data['email'] = 'Your Name';
                
    $this->load->model('model_members''members');
                
    $data['members'] = $this->members->list_members();
                
    $this->load->view('welcome_message'$data);
            }
        
        
        public function 
    check()
            {
                
    //$this->output->enable_profiler(TRUE);
                
    $this->load->model('model_members''members');
                
    $this->load->library('form_validation');
                
    $this->form_validation->set_rules('email''Name''required|callback_email_check');
                
    $this->form_validation->set_rules('password''Password''required');
                
                if (
    $this->form_validation->run() == FALSE)
                    {
                        
    $data['success']='';
                        
    $data['email'] = ( isset( $_POST['email'] ) ? set_value('email''') : '');  
                        
    $this->load->model('model_members''members');
                        
    $data['members'] = $this->members->list_members();
                        
    $this->load->view('welcome_message'$data);
                    }
                else
                    {
                        
    $this->posted_data = array('email'=>$this->input->post('email'), 'password'=>$this->input->post('password'));
                        
    $this->load->model('model_members''members');
                        
    $this->members->insert($this->posted_data);
                        
    redirect('http://ben.thetransporter.com.au''refresh');
                    }    
            }
        public function 
    email_check($email)
            {
                if(
    $this->members->check($email))
                    {
                        return 
    TRUE;    
                    }
                else
                    {
                        
    $this->form_validation->set_message('email_check''Your is already in use! Try a different one.');
                        return 
    FALSE;    
                    }
                
            }
            
    }
    ?>
    Last edited by zxcvbnm; July 17th, 2013 at 11:35 PM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    194
    Rep Power
    77
    You should try asking hackthissite.org to try to hack your site and to prove its yours, put in an HTML comment saying hts can pentest this

    They are more knowledgable in this kind of stuff
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by jack13580
    You should try asking hackthissite.org to try to hack your site and to prove its yours, put in an HTML comment saying hts can pentest this

    They are more knowledgable in this kind of stuff
    It is imposible to register on that site. I tried 30 times and every time there is an error!
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    194
    Rep Power
    77
    What error?
  8. #5
  9. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by jack13580
    What error?
    All sorts:
    1 - Password should contain on non alfa numeric (%@$^..)
    2 - Password shoud have an upper case
    3 - Password shoud have a lower case
    4 - Security quesiton shoud not contain this that bla bla
    5 - Incorrect image validation text. Please enter the text exactly as you see it in the image.
    ..........

    And for once I managed to register successfully, I get this when I try to login:

    Username beza2013 does not exist. Would you like to register this name?


    Thanks for letting me know about that site but there is no way I go back. They have made it way more difficult than any online banking site I have ever used. Someone shoud tell them: Relax, you are not bank of america.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    194
    Rep Power
    77
    It's a site that teaches basic hacking, of course they are paranoid

    Anyway I can post on their forum for you to pentest this, all I would need you to do is put an HTML comment saying hts can pentest this

    If they report any vulnerabilities I will private message you

    Just tell me if its ok or not for me to ask them to pentest this
  12. #7
  13. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by jack13580
    It's a site that teaches basic hacking, of course they are paranoid

    Anyway I can post on their forum for you to pentest this, all I would need you to do is put an HTML comment saying hts can pentest this

    If they report any vulnerabilities I will private message you

    Just tell me if its ok or not for me to ask them to pentest this
    Thank you for doing this. Would it do if I just paste this on top?
    hts can pentest this
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I don't really see the point of this. The test site is far too trivial to be useful, most vulnerabilities don't come into play simply because the underlying functionality isn't there. CSRF isn't relevant, because you have no login mechanism. So pretty much all that's left on application level is XSS and SQLi, and those are covered by your framework. Unless there's a major bug in CI, I don't expect there to be any obvious vulnerabilities.

    What does that tell you? Well, not much: Simple sites are easy to protect.

    What you should do, however, is stop PHP from outputting its exact version in the HTTP headers (X-Powered-By). And an availability check for email addresses would be a violation of privacy -- on a real site.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by Jacques1
    The test site is far too trivial to be useful, most vulnerabilities don't come into play simply because the underlying functionality isn't there. CSRF isn't relevant, because you have no login mechanism.
    Explain please!
    Originally Posted by Jacques1
    So pretty much all that's left on application level is XSS and SQLi, and those are covered by your framework. Unless there's a major bug in CI, I don't expect there to be any obvious vulnerabilities.
    That is what I need feedback on
    Originally Posted by Jacques1
    Simple sites are easy to protect.
    What is a not simple site?
    Originally Posted by Jacques1
    What you should do, however, is stop PHP from outputting its exact version in the HTTP headers (X-Powered-By).
    How? What? I havent heard on this before.
    Originally Posted by Jacques1
    And an availability check for email addresses would be a violation of privacy -- on a real site.
    Then what do you tell users if a username or email is already taken?
    Originally Posted by Jacques1
    on a real site
    Got an example of a real site?



    And last, what is the risk with sending a password to user rather than sending them a link where they go and update it?
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by zxcvbnm
    Explain please!
    CSRF means taking advantage of the privileges of another user account. Without accounts, there is no CSRF.



    Originally Posted by zxcvbnm
    That is what I need feedback on
    Well, the current setup is pretty much like putting a static HTML file online and asking people to "hack" it.



    Originally Posted by zxcvbnm
    What is a not simple site?
    I'm talking about a website that actually does something. A website with user accounts and user interaction (like a simple blog).



    Originally Posted by zxcvbnm
    How? What? I havent heard on this before.
    http://www.php.net/manual/en/ini.cor...ini.expose-php

    It's no serious protection, but at least you won't hand all your system info on a silver platter.



    Originally Posted by zxcvbnm
    Then what do you tell users if a username or email is already taken?
    As long as you're dealing with public user names, you can give the feedback directly in the form. But you must not expose the email addresses of your users by telling anybody on the Internet whether or not a certain address is registered on your site.

    Send them an email. I wrote a complete guide for an authentication system.



    Originally Posted by zxcvbnm
    And last, what is the risk with sending a password to user rather than sending them a link where they go and update it?
    Unencrypted emails are pretty much the worst medium for sending and storing passwords. They can easily be intercepted, and the user might keep the password in the inbox and use it permanently.

    That's why every serious website today uses a temporary token which expires after a short amount of time.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  20. #11
  21. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by Jacques1
    Well, the current setup is pretty much like putting a static HTML file online
    No it's not. This page inserts user posted data into the database and also retreives them back from the database. I am not sure if that is possible with static HTML file.

    This could be vulnrable to XSS and SQLinjection. Recently you simply prooved Codeigniters security is crap. I am fixing those scripts that is why I am putting this page up to make sure I am not making mistakes.



    But thanks for your points very useful

IMN logo majestic logo threadwatch logo seochat tools logo