Testing Old Website's Security (Newbie)

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Testing Old Website's Security (Newbie)

Post by minichrispy on Sat Sep 15, 2012 5:13 pm
([msg=69398]see Testing Old Website's Security (Newbie)[/msg])

Hi, I'm fairly new to hacking, so I hope you can forgive my lack of skill, but I'll get straight to the point. My private school has a login page on the old section of their website (They've slowly been changing everything to a newer theme/location) and after completing the HTS basic missions, I was wondering how secure it was. Now, this login page grants access to the community section of the website intended for students/parents and has stuff like news, the lunch menu, sports activities, school forms, etc.). They've been using the same username and password combination since I first came to this school 7 years ago, and so far as I know this is the only combination that works (they've never told us anything else). I've tried a few sql commands and I've looked through the source code but I haven't found anything too obvious to exploit. I wanted to see if you guys had any suggestions as to what I could try. I'm not sure if posting the webpage's source could help (I couldn't find anything on it).

Now, I want to be clear that this isn't my website, its my school's and even though this section of the website hasn't been updated since January and most of the information is obsolete, I don't want to do anything illegal or break any rules. I firmly support HTS's position on illegal activities and don't want to engage in any myself. But since I already know the user/pass, I'm not sure if checking the vulnerability constitutes as illegal, so please tell me if it does and I will drop this idea completely. Thanks in advance for feedback. :)
minichrispy
New User
New User
 
Posts: 2
Joined: Sat Sep 15, 2012 4:52 pm
Blog: View Blog (0)


Re: Testing Old Website's Security (Newbie)

Post by centip3de on Sat Sep 15, 2012 5:19 pm
([msg=69400]see Re: Testing Old Website's Security (Newbie)[/msg])

minichrispy wrote:Hi, I'm fairly new to hacking, so I hope you can forgive my lack of skill, but I'll get straight to the point. My private school has a login page on the old section of their website (They've slowly been changing everything to a newer theme/location) and after completing the HTS basic missions, I was wondering how secure it was. Now, this login page grants access to the community section of the website intended for students/parents and has stuff like news, the lunch menu, sports activities, school forms, etc.). They've been using the same username and password combination since I first came to this school 7 years ago, and so far as I know this is the only combination that works (they've never told us anything else). I've tried a few sql commands and I've looked through the source code but I haven't found anything too obvious to exploit. I wanted to see if you guys had any suggestions as to what I could try. I'm not sure if posting the webpage's source could help (I couldn't find anything on it).

Now, I want to be clear that this isn't my website, its my school's and even though this section of the website hasn't been updated since January and most of the information is obsolete, I don't want to do anything illegal or break any rules. I firmly support HTS's position on illegal activities and don't want to engage in any myself. But since I already know the user/pass, I'm not sure if checking the vulnerability constitutes as illegal, so please tell me if it does and I will drop this idea completely. Thanks in advance for feedback. :)


So close man, we'd be so close to helping you... But, you stated that you're intending on using the information we would give you to break into (even if it's just testing) something you don't own, thus, it is still illegal. Sorry mate.

Also, don't take whatever you learn in the basic missions as the only exploits there are. In fact, 90% of the things in the basic missions (except possibly SQLi) aren't going to work in the real world simply because server admins/web developers are (generally) smarter than that.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Testing Old Website's Security (Newbie)

Post by minichrispy on Sat Sep 15, 2012 5:32 pm
([msg=69401]see Re: Testing Old Website's Security (Newbie)[/msg])

centip3de wrote:
minichrispy wrote:Hi, I'm fairly new to hacking, so I hope you can forgive my lack of skill, but I'll get straight to the point. My private school has a login page on the old section of their website (They've slowly been changing everything to a newer theme/location) and after completing the HTS basic missions, I was wondering how secure it was. Now, this login page grants access to the community section of the website intended for students/parents and has stuff like news, the lunch menu, sports activities, school forms, etc.). They've been using the same username and password combination since I first came to this school 7 years ago, and so far as I know this is the only combination that works (they've never told us anything else). I've tried a few sql commands and I've looked through the source code but I haven't found anything too obvious to exploit. I wanted to see if you guys had any suggestions as to what I could try. I'm not sure if posting the webpage's source could help (I couldn't find anything on it).

Now, I want to be clear that this isn't my website, its my school's and even though this section of the website hasn't been updated since January and most of the information is obsolete, I don't want to do anything illegal or break any rules. I firmly support HTS's position on illegal activities and don't want to engage in any myself. But since I already know the user/pass, I'm not sure if checking the vulnerability constitutes as illegal, so please tell me if it does and I will drop this idea completely. Thanks in advance for feedback. :)


So close man, we'd be so close to helping you... But, you stated that you're intending on using the information we would give you to break into (even if it's just testing) something you don't own, thus, it is still illegal. Sorry mate.

Also, don't take whatever you learn in the basic missions as the only exploits there are. In fact, 90% of the things in the basic missions (except possibly SQLi) aren't going to work in the real world simply because server admins/web developers are (generally) smarter than that.


Ah, that makes sense, thanks for letting me know!
minichrispy
New User
New User
 
Posts: 2
Joined: Sat Sep 15, 2012 4:52 pm
Blog: View Blog (0)


Re: Testing Old Website's Security (Newbie)

Post by centip3de on Sat Sep 15, 2012 6:19 pm
([msg=69403]see Re: Testing Old Website's Security (Newbie)[/msg])

minichrispy wrote:Ah, that makes sense, thanks for letting me know!


No problem, thanks for joining HTS! Hope to see you around soon! :)
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1467
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Testing Old Website's Security (Newbie)

Post by LoGiCaL__ on Sun Sep 16, 2012 7:08 am
([msg=69411]see Re: Testing Old Website's Security (Newbie)[/msg])

Not to mention just because you have the pages source code isn't the end all and be all. There may be server side code that doesn't even show on the page. Also, is it really worth the risk? This is where risk-benefit analysis comes in to play here. Other than being able to say you did it, what info on this site is really worth the risk of being caught? These school server/website stories are common and all I ever see from them is just being able to talk about it, nothing more. You would probably get more out of building your own site and testing on that. Build it then break it and repeat.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1063
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests