am i allowed to full on hack this site.

General technological topics without their own forum go here

am i allowed to full on hack this site.

Post by Jaguar8thNova on Sun Jun 17, 2018 6:17 pm
([msg=95840]see am i allowed to full on hack this site.[/msg])

so i've been wanting to try out some new stuff that i've learned but i'm afraid it might damage the site integrity here. i was wondering if i'm allowed to go wild and full on attack this site. or if there are limits, as in, hacking is only allowed via missions etc. please let me know because i'm locked and loaded, ready to go :twisted:

-- Sun Jun 17, 2018 7:10 pm --

you took to long to respond so here comes the boom baby!

-- Sun Jun 17, 2018 8:28 pm --

so i found some vulnerabilities in this site. unless of course they are false positives. here's what i found
1:)X-Frame-options header not set. the x-frame options header is no included in the HTTP response. hence vulnerable to clickjacking attacks.
2:) cookie no http only flag. you guys set a cookie without an http only flag, i can access it via javascript. if i decided to run a malicous script i can ensure that its transmitted to other sites. if its a session cookie then i can session hijack anyone currently on your site.
3:) you guys have a Cross-Domain javascript source file inclusion...two of them actually. in fact i'll list it. http://www3.data.htscdn.org/js/query-1.8.1.min.js''></script>
4:) password autocomplete in Browser. your autocomplete attribute is not disable on an HTML form/input element containing password type input passwords may be stored in browsers and retrieved... this doesn't sound so bad and most view it as low risk but if i sniff the ip address of anyone here and use armitage to exploit, gaining control of their machine.i can use a password forensics attack to recover their password.
5:) your XSS protection is not enabled. you can enable it by setting the X-XSS-Protection HTTP response header to 1

-- Sun Jun 17, 2018 9:01 pm --

also you have some legacy issues. X-content-type-options header missing. anti-MIME-Sniffing header x-content-type-options was set to nosniff this allows older versions of explorer chrome and to do MIME-sniffing on the response body, which means i can use that to display the response body as a content type other than the declared type.

-- Sun Jun 17, 2018 9:03 pm --

your vulnerable to 414 attacks via java
Jaguar8thNova
New User
New User
 
Posts: 1
Joined: Sun Jun 17, 2018 5:16 pm
Blog: View Blog (0)


Re: am i allowed to full on hack this site.

Post by nidhaker on Fri Jun 29, 2018 10:02 pm
([msg=95896]see Re: am i allowed to full on hack this site.[/msg])

can you contact me vu22768897shi@163.com?
need assistance .

-- Fri Jun 29, 2018 10:03 pm --

can you contact me vu22768897shi@163.com?
need assistance .
nidhaker
New User
New User
 
Posts: 2
Joined: Fri Jun 29, 2018 1:50 am
Blog: View Blog (0)


Re: am i allowed to full on hack this site.

Post by pretentious on Thu Jul 05, 2018 7:21 am
([msg=95906]see Re: am i allowed to full on hack this site.[/msg])

Can any of these vulnerabilities be actively exploited?
I’m not really a web guy
If so, jump on irc and contact kage. I assume he’s still running things.
Otherwise, keep digging. I speak for the nonexistent moderators when i say, go nuts. that’s what this site was built for
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
Can you say brainwashing It's a non stop disco
User avatar
pretentious
Addict
Addict
 
Posts: 1202
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: am i allowed to full on hack this site.

Post by Entercide on Tue Jul 17, 2018 7:18 am
([msg=95966]see Re: am i allowed to full on hack this site.[/msg])

Hey is there a way i can contact you privately? i wanted to ask you some questions
Entercide
New User
New User
 
Posts: 1
Joined: Tue Jul 17, 2018 7:14 am
Blog: View Blog (0)


Re: am i allowed to full on hack this site.

Post by NoSQL1 on Mon Aug 27, 2018 9:32 pm
([msg=96158]see Re: am i allowed to full on hack this site.[/msg])

Bravo! You can run a vulnerability scanner.
NoSQL1
New User
New User
 
Posts: 3
Joined: Mon Aug 27, 2018 9:24 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests