Hack My Website

Discuss the many weaknesses of browser security and ways to mitigate the threat

Hack My Website

Post by -65536- on Mon Aug 16, 2010 12:47 am
([msg=43795]see Hack My Website[/msg])

Hello, I am developing a website that I am going to run on my desktop. I'm building this website so that a limited number of users can access some web apps I'm developing. I have pretty much competed the authentication code and I am almost ready to start building the content.

I was wondering if anyone is willing to look through my code and see if they can find any problems. Thanks!

You can download the files here: [Link removed temporarily. Please read post by Admin.]
The zip file contains my code, example database files, php config file, and lighttpd config file.

Info on the server
Router:
Virtual server port 443 tcp only
OS:
Windows 7 Ultimate x86
Auto updates enabled
Server:
lightTPD WLMP 1.4.26-1 (SSL)
Self signed SSL cert
Only listening on port 443
PHP:
5.3.3 VC9 x86 Non Thread Safe
Fastcgi listening on 127.0.0.1:521
WinCache 1.1
sqlite3 PDO

Every time a page loads:

Check to see if the IP has been banned
  • Load an array of banned IPs from a RAM cache
  • Check for IP, if the user is banned die()
Check to see if the IP is flooding
  • Increment a counter on every page request
  • If a single IP has more than 10000 requests in 1 hr add their IP to the ban list
Check to see if they have an authorized session
  • Check session vars for auth=true
Try to log them in with a cookie
  • Read username and key from cookie
  • Compare key to sha256("static salt"+"hashed password"+"ip"+"username")
  • If key matches set auth=true
Check for login POST data
  • Compare hashedpass to sha256("random salt"+"password"+"username"+"admin rights"+"static salt");
  • if key matches set auth=true
For both cookie and POST check this first
  • Make sure there account has been initialized
  • Make sure there account does not have a pending password reset
  • Make sure there is no ban date attached to their account
  • Make sure failed login attempts is less than 6
  • If there was a failed login attempt increment the counter for that username
  • Don't display any failure messages
-65536-
New User
New User
 
Posts: 4
Joined: Sun Aug 15, 2010 11:52 pm
Blog: View Blog (0)


Re: Hack My Website

Post by Dwere on Sat Sep 25, 2010 11:41 am
([msg=46490]see Re: Hack My Website[/msg])

-65536- wrote:[*]Compare key to sha256("static salt"+"hashed password"+"ip"+"username")
[*]If key matches set auth=true[/list]

Just curious here... I'm not an expert at web design, or programming commands etc.
However... this is both a question and a suggestion, depending on the ANSWER to my question.
"if key matches set auth=true"
Should there be - or is it implied that there is? - a piece of code stating "if key doesn't mat set auth=false" or not?
Just curious.
-Dwere (David)
Goatboy wrote:
Dwere wrote:I'm not one to start some branch of religion though. Not my thing.

Of course if you wanted to, you could call it the Davidians!
User avatar
Dwere
New User
New User
 
Posts: 21
Joined: Fri Sep 24, 2010 8:21 pm
Location: Washington
Blog: View Blog (0)


Re: Hack My Website

Post by Monica on Sat Sep 25, 2010 3:00 pm
([msg=46500]see Re: Hack My Website[/msg])

I'm sorry, I temporarily removed the link for download for review to ensure the safety of other users. You may re-upload the file.
hi am new so plz dont troll me or i report 2 the HTS mods ty
User avatar
Monica
Contributor
Contributor
 
Posts: 877
Joined: Thu Oct 02, 2008 12:29 am
Location: In The Shadows
Blog: View Blog (0)


Re: Hack My Website

Post by IncandescentLight on Fri Nov 19, 2010 9:59 am
([msg=49125]see Re: Hack My Website[/msg])

Well, on the software side just keep your software up-to-date. Outdated software will be open to attacks as they contain vulnerable code which can be exploited by attacks such as Buffer overflows, stack-based buffer overflows etc.

On another note, check that your PHP code is Buffer-overflow proof. From experience, just spamming in a login page may sometimes let you in as administrator. Look for XSS vulnerabilities in your site map and keep operations on the server-side as much as possible so the client will not be able to manipulate data.
Speak softly and carry a big stick -Theodore Roosevelt

http://www.rhetoricalcatch.blogspot.com
User avatar
IncandescentLight
Poster
Poster
 
Posts: 216
Joined: Sun Apr 27, 2008 3:16 am
Blog: View Blog (0)


Re: Hack My Website

Post by Defience on Fri Nov 19, 2010 12:21 pm
([msg=49130]see Re: Hack My Website[/msg])

Necro......
User avatar
Defience
Addict
Addict
 
Posts: 1265
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests