Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Check my sites security


Scar0ptics's Avatar
Member
0 0

I have my site hosted and feel free to let me know of any security holes, if you find any.

The site is: securitybox.ddns.net

This site has a self-signed certificate, so you will have to add an exception. I tested the sites SSL at SSL Labs and I got an "A". Let me know if you find any weaknesses because as of now I think it is solid.

There are vulnerabilities in the CMS and system though; I'm sure of it, as there is no such thing as 100% secure.


gobzi's Avatar
Member
10 0

I poked it for a couple of minutes and it seems ok.

Consider adding Captcha to register, since right now I can start pewpewing your DB with useless data :P

I know that register is "down" for the time being, but when you register why password is not required?!

I can't register so I couldn't check your cookie/sessions :P

Headers: X-Powered-By: PHP/5.4.16 (NO!) X-Generator: Drupal 7 (http://drupal.org) (NO!)

Server: Apache (That's much better, but still meh for me :D )

https://securitybox.ddns.net/icons/README remove that

cookie needs httpOnly and isSecure flags ### EDITED: I hope you issue a new cookie when the user authenticates (session fixation might occur)

Password autocomplete must be off!

That's what I've picked so far! Didn't run any scanners against it, since even my spider dos you :|


gobzi's Avatar
Member
10 0

Sorry, asdas is not recognized as a user name or an e-mail address.

NO! That's an informative error message. An attacker may enumerate usernames/emails


gobzi's Avatar
Member
10 0

Password issues! I registered with "a" as password.

Error: PDOException: SQLSTATE[HY000]: General error: 1 Can't create/write to file '/var/tmp/#sql_6d3_0.MAI' (Errcode: 2): SELECT DISTINCT b.* FROM {block} b LEFT JOIN {block_role} r ON b.module = r.module AND b.delta = r.delta WHERE b.status = 1 AND b.custom <> 0 AND (r.rid IN (:rids_0) OR r.rid IS NULL) ORDER BY b.weight, b.module; Array ( [:rids_0] => 2 ) in block_form_user_profile_form_alter() (line 578 of /var/www/html/index.html/modules/block/block.module).


Scar0ptics's Avatar
Member
0 0

Ok, I can get in there and change some password settings, but I deleted your old account. Go ahead and create another account. I am also going to set up messaging on the site real soon. Im thinking the captcha is not working …….damn


gobzi's Avatar
Member
10 0

Don't worry, all of these are easy fixes. You've done a great work so far :D


gobzi's Avatar
Member
10 0

Still can register with password "a". Btw enforce 8 characters long. 6 is not enough


gobzi's Avatar
Member
10 0

don't blacklist "<script>" etc. I can find at least 1 payload that you haven't blacklisted.

Whitelist is recommended


gobzi's Avatar
Member
10 0

Captcha in comments :P


Scar0ptics's Avatar
Member
0 0

I changed a few things; however, I haven't changed any of the password settings. I know I need to delete that directory that you mentioned ion the top post too.


Scar0ptics's Avatar
Member
0 0

I'll keep what I have for right now. i made everything case sensitive and I am not a fan of Google lol..maybe in 2003, I know its a great search engine , but they really messed it up.


Scar0ptics's Avatar
Member
0 0

Image captcha is not loading and it is asking to verify the letters from an image……lol….fuck


gobzi's Avatar
Member
10 0

Scar0ptics wrote: I'll keep what I have for right now. i made everything case sensitive and I am not a fan of Google lol..maybe in 2003, I know its a great search engine , but they really messed it up.

https://wappalyzer.com/applications/recaptcha Most of the optical character recognition tools will crack your captcha. :|


Scar0ptics's Avatar
Member
0 0

Yeah, I know, but how was the network scan?

lol I had to get on the server and remove the captcha as it locked ME out ha-ha

I also seen that I have my box set up to block email communication, so that would be why people see an error message regarding any emails.


Scar0ptics's Avatar
Member
0 0

I am still implementing a few things right now: captcha, password policy, etc.


Scar0ptics's Avatar
Member
0 0

You can test out that captcha too when you get a chance. I'm not so sure it is working right.


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

Seriously man I hate fucking captchas especially on my mobile, so if a site uses them for more than just logging in, especially in forum or comment posts, I just don't bother using it. There's forums I've been a member of for years, and never posted a thing, due to their insistence on using captchas and security questions, before you can even reply to a PM. Captchas should be for registration and nothing else, except maybe cracking challenges.


Scar0ptics's Avatar
Member
0 0

I'm working on that right now.

***Should only be on the registration page now.


Scar0ptics's Avatar
Member
0 0

I am going to rebuild the web server again this week, but for the meantime I have a Proxy and VPN server.


Scar0ptics's Avatar
Member
0 0

I am going to rebuild the web server again this week, but for the meantime I have a Proxy and VPN server.