Home
Friday, September 22, 2017
8:02:06 PM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
 Previous Page 1 | 2 | 3  
I Invite You To Break My Site
superfireydave 
17/4/08 1:07:24 PM
Titan

Wait what? Thread moved?
DAMN YOU MAXX!

-----
Mreow?

Master_Scythe 
17/4/08 1:34:30 PM
Titan

Linux, although irresponsible, it was rather clever.

and technically he broke no rules redirecting a site outside of atomic to there, he didnt direct link. it still went to daves site and redirected (if it worked).

Clicking outside links on a work machine is a risk you take.

Although its irresponsible to trick people into that sort of thing, its also a users choice on whether or not to visit an outside link at work, or, more importantly, if its that bad in the office, to visit those links WIHOUT content control. I assume freeware software could easily stop you trying to go to meatspin etc.

anyway. this is about daves site.

Linux it was clever, cudos, but irresponsible.

khendar, its unfortunate you visited a bad site at work, however on a site that dave was ASKING to be COMPROMISED you should at least assume bad things COULD happen. it was a risk you chose to take.

anyway. back to dave.

-----
4200+X2 939, ASUS A8N-SLI-D, Ati HD3850, 1gb,1tb total HDD, 109 DVD, LG DVD-rom.
Quote by Girvo
I've got a wicked tiny one that is ridiculously sensitive.



The Manta 
17/4/08 1:36:52 PM
Immortal

Quote by Master_Scythe
Linux, although irresponsible, it was rather clever.

and technically he broke no rules redirecting a site outside of atomic to there, he didnt direct link. it still went to daves site and redirected (if it worked).

Clicking outside links on a work machine is a risk you take.

Although its irresponsible to trick people into that sort of thing, its also a users choice on whether or not to visit an outside link at work, or, more importantly, if its that bad in the office, to visit those links WIHOUT content control. I assume freeware software could easily stop you trying to go to meatspin etc.

anyway. this is about daves site.

Linux it was clever, cudos, but irresponsible.

khendar, its unfortunate you visited a bad site at work, however on a site that dave was ASKING to be COMPROMISED you should at least assume bad things COULD happen. it was a risk you chose to take.

anyway. back to dave.



Absolutely. Which is why I won't be checking it again until I can be satisfied that there will be absolutely no chance I'll end up on something dodgy.

That said, good luck, guys. Hope it's a clean bill of health.

-----
Gallantry is back.

Quote by Roman Bellic
"I had a lot to drink, but I'm straight sober! *faceplants onto sidewalk*"



superfireydave 
17/4/08 1:45:19 PM
Titan

It'd be awesome if you actually told me how you were breaking it, not just breaking it =P

How are you doing the weird locations?

-----
Mreow?

Linux_Inside V2 
17/4/08 1:49:10 PM
Immortal

Your code isn't checking the referrer, I'm using a HTML file hosted elsewhere with your form action :P

-----
Quote by Damo
Although no doubt watching your mother being repeatedly stabbed with a 2 inch stabbing device must be a traumatic experience worthy of future councelling.



superfireydave 
17/4/08 1:50:40 PM
Titan

Yeah, I just figured that out =P
Cheers <3

-----
Mreow?

Cynic* 
17/4/08 1:55:01 PM
Banned

I'm using noscript. Your javascript does nothing! Muhaha.

Anyway - are you protecting against SQL injection?


Edited by Cynic*: 17/4/2008 1:55:23 PM

-----

Quote by Kimmo
I guess my juice would cover two folks pretty easy



superfireydave 
17/4/08 2:06:46 PM
Titan

Yes, it should be.
edit: and there isn't any javascript on that site!


Edited by superfireydave: 17/4/2008 02:07:49 PM

-----
Mreow?

Linux_Inside V2 
17/4/08 2:27:25 PM
Immortal

LOL

Invalid referrer and all I'm trying to do is hit create on your own site not mine :D

-----
Quote by Damo
Although no doubt watching your mother being repeatedly stabbed with a 2 inch stabbing device must be a traumatic experience worthy of future councelling.



superfireydave 
17/4/08 2:36:32 PM
Titan

Should be fixed now =P
Can you try injecting into the form from your site again?

-----
Mreow?

Linux_Inside V2 
17/4/08 2:56:32 PM
Immortal

Yep, got an invalid referrer message :D

-----
Quote by Damo
Although no doubt watching your mother being repeatedly stabbed with a 2 inch stabbing device must be a traumatic experience worthy of future councelling.



superfireydave 
17/4/08 3:02:05 PM
Titan

^_^

-----
Mreow?

Sneddo 
17/4/08 3:22:37 PM
Hero
Immortal


Checking referrer isn't enough though, it isn't hard to set a referrer header on a POST request. Or just use the web dev toolkit in Fx to manipulate it to do whatever you want.

-----

superfireydave 
17/4/08 3:35:44 PM
Titan

I'm aware of that QQ
But I think it will suffice for my assignment at the moment.

The next milestone uses sessions and authentication which should overcome many of the limitations of the current program.

-----
Mreow?

Linux_Inside V2 
17/4/08 3:49:19 PM
Immortal

Quote by Sneddo
Checking referrer isn't enough though, it isn't hard to set a referrer header on a POST request. Or just use the web dev toolkit in Fx to manipulate it to do whatever you want.



Oh okay,

What's a better way of doing it?

-----
Quote by Damo
Although no doubt watching your mother being repeatedly stabbed with a 2 inch stabbing device must be a traumatic experience worthy of future councelling.



Sneddo 
17/4/08 4:50:08 PM
Hero
Immortal


Quote by Linux_Inside V2
Quote by Sneddo
Checking referrer isn't enough though, it isn't hard to set a referrer header on a POST request. Or just use the web dev toolkit in Fx to manipulate it to do whatever you want.



Oh okay,

What's a better way of doing it?


Well, it depends what you are trying to prevent I suppose. Sanitising and proper validation on inputs would be a better way to deal with these threats IMO.

Edit: Referrer checking is still worth doing though, for the little code that it adds.


Edited by Sneddo: 17/4/2008 4:53:25 PM

-----

Linux_Inside V2 
17/4/08 5:45:02 PM
Immortal

Quote by Sneddo
Quote by Linux_Inside V2
Quote by Sneddo
Checking referrer isn't enough though, it isn't hard to set a referrer header on a POST request. Or just use the web dev toolkit in Fx to manipulate it to do whatever you want.



Oh okay,

What's a better way of doing it?


Well, it depends what you are trying to prevent I suppose. Sanitising and proper validation on inputs would be a better way to deal with these threats IMO.

Edit: Referrer checking is still worth doing though, for the little code that it adds.



Indeed

I suppose with any site that really requires it, Referrers, Sanitising and Logins = win

I don't do referrer checking on my CMS, but you need to log in and it's all sanitised anyway.

-----
Quote by Damo
Although no doubt watching your mother being repeatedly stabbed with a 2 inch stabbing device must be a traumatic experience worthy of future councelling.



.nate. 
15/6/08 6:34:19 PM
Master

Quote by khendar
Quote by Linux_Inside V2
BAH!

The meta refresh didn't work anyway, what are you whining about?



Someone else put a link to goatse - and you attempting to redirect to meatspin is equally fucking irresponsible. Grow the fuck up.



hahahaha, dont be such a noob. he asked people to break his site, what did you expect them to post up pictures of?

goatse has and always will be the internets way of telling saying "owned".

i rekon you should "Chill the fuck out".

-----
TRIPLE KILL!

mandalore 
11/7/08 5:22:42 PM
Banned
The site doesn't exist. It says it can't be displayed.

-----
Trust no one. Least of all yourself...

aliali 
11/7/08 5:43:02 PM
SuperHero
Immortal


Quote by mandalore
The site doesn't exist. It says it can't be displayed.


Dude how about checking the date on the last post in a thread before replying?
You have replied to several threads whose last post was at least a month ago and in most cases several months ago.

-----
Quote by superfireydave
People: "Oooh dinosaurs!"
Dinosaurs: NOM NOM NOM NOM NOM
People: "Ahhh dinosaurs!"



 Previous Page 1 | 2 | 3  
Forums | Security