#1
  1. No Profile Picture
    <? unset($sanity) ?>
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2003
    Posts
    613
    Rep Power
    12

    Security Check! http://www.betachat.com/login.php


    http://www.betachat.com/login.php

    Okay. Reason I'm doing this is because I need to hide the actual url so certain users don't know where to run the script they use to wreck havoc on the chatroom. As an example the room url for the certain rooms are..

    PHP Code:
    //Room Name
    the Bar

    // Room URL
    ???????????

    // Room Name
    the Lounge

    // Room URL
    [url]http://wishbone.optichat.com/optichat.html?oc_room=room2&oc_acc=yabber&oc_user=YabberChatTest&oc_profile=main&oc_stage=2[/url]

    // Room Name
    the Beer Garden

    // Room URL
    [url]http://wishbone.optichat.com/optichat.html?oc_room=room3&oc_acc=yabber&oc_user=YabberChatTest&oc_profile=main&oc_stage=2[/url]

    // Room Name
    the Basement

    // Room URL
    [url]http://wishbone.optichat.com/optichat.html?oc_room=room4&oc_acc=yabber&oc_user=YabberChatTest&oc_profile=main&oc_stage=2[/url] 
    Now the test is.. What is the actual URL for the room name "the Bar"? Looking at the other URLs, that's basically what I'll be looking for. Also, you should know. I have spoofed the room names in the form. And no, it's not "room1". And subtract all that vBulletin parsing of target="_blank" stuff. If you do happen to find a way around it. I have to know what it is so I can fix it!
    Last edited by URSLOWR; November 24th, 2003 at 09:34 PM.
    "I haven't failed, I've found 10,000 ways that won't work."
    - Thomas Edison

    -=Rick=-

    Chat Refinance Loans
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2003
    Location
    Amarillo, TX
    Posts
    6
    Rep Power
    0
    If you are using a third party script you may be out of luck. When variables or data are posted to the URL via this method:

    script.php?name=James&age=40

    ...it's using the GET method. If you use the POST method, the data is still transmitted to the server, but it's contained in the headers and not the URL itself (it's actually dependent on the Content-length header). It is, indeed, easy to snoop POST data, but for 98% of users, it's "out of sight, out of mind".

    Using the POST method on forms (instead of GET), is a simple method of "hiding" your form submission data. If, however, the data does not come from a form...for example, a text link...you will have to involve JavaScript to submit a form when a text link is clicked. (It's essentially a pass-through form submission the user never sees...)

    Like I said...if you're using a third party "chat" client, you may be stuck with what you have. If you are willing to change, however, there are a great variety of FREE chat scripts for many languages out there...all you have to invest is some time browsing and testing.

    Historically, however, chat (especially real-time systems like IRC) has always been a security disaster. Asking for a secure chat system is like telling the sun not to shine. It will work half the time.

    Hope this helps.
  4. #3
  5. No Profile Picture
    <? unset($sanity) ?>
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2003
    Posts
    613
    Rep Power
    12
    Hehehe, so far though, only one person has been able to crack open my actual values, and stick them in my face to see. I think that so far. The script I created does somewhat of a good job in hiding, or spoofing the variables. And for the back end person trying to get the values, I've made it such a pain in the *** to get the source that they'll either get bored with decoding everything. Encoding the source is just a diversion, nothing more. Can be decoded in about 5 minutes. But it's the fact that they have to.
    "I haven't failed, I've found 10,000 ways that won't work."
    - Thomas Edison

    -=Rick=-

    Chat Refinance Loans

IMN logo majestic logo threadwatch logo seochat tools logo