I have never felt so discouraged...
Hey guys,
First off, just let me say I think this place is great, and this post isn't about to flame HBH or its users.
However, having done some of the missions on here, and researching web hacking with Google, I have to say, I have never felt so discouraged to try and make a web site that is in any way useful.
Basically, ever since finishing school, I've had a few ideas for web sites, and I've actually thought that if I acted upon my ideas, I might actually make something worthwhile. But ever since I've came to HBH, I've had a bit of a rude awakening in terms of security vulnerabilities. And whats worse is that I'm just at the start of my hacking education, and I'm pretty sure I know next to nothing in the grand scheme of things!
I mean, I used to think so long as I had magic quotes enabled, my website would be safe from black hats! Now, I can only guess that there are countless more ways to deface a site, between XSS and SQL injection and a whole host of other methods - I just recently saw an article on here relating to injection via user agents! What the hell, I didn't even know that was possible!
I guess my reason for posting here is, I'd like someone to maybe give me a run down of how vulnerable the average interactive site coded in PHP would be? For example, if someone was to tell you they hand coded a member site in which people could register a username with a password and email address, and then search for and message other members, what would be the possible vulnerabilities that would spring to mind? Better still, what solutions would spring to mind?
For example, does anyone have any links to decent tutorials on safe proofing against SQL injections, rather than just using magic quotes? Also, how can I safe guard against RMI, or at least, how can I safeguard againt users injecting links to particularly dangerous files via RMI, like the C99 shell? Also, I've come across a few sites that offer to run security checks on your site - how effective are these scans?
I'm guessing a lot of you guys have seen this kind of post before, it's just anyone I've PM'd has been really helpful with whatever I've asked them, and I thought, why not put this question to all the users! :D
Anyway, thanks for taking the time to read this and offering whatever help you can, and if I've managed to annoy some of you with this post, please try to go easy with the flames, it wasn't intentional! :)
Dude, theres no reason to share bs about how you feel discouraged. And likely, you'll be flamed for sharing it :p . Nobody starts off knowing everything, but like you said your looking. Almost EVERY website starts off with bugs and vulnerable code, but the coders work through em and test em. Just remember you have to be nit picky about what you let visitors do. You need to filter every little input, lock sensitive directories, and disallow harmful code or easily manipulated actions. Just keep learning and you'll learn how to test and fix vulnerabilities as you go along.
While nobody can be 100% accurate in defending a website, it is rather simple to defend against around 90% of major attacks. The first rules and you must NEVER break it, treat every user is a malicious hacker willing to harm your site. This doesn't mean be rude and violent towards them, it means don't give anybody the extra opportunity to deface your website. The following are some of the best possible ways to help protect your website.
The mysql_real_escape_string($content) function(found at http://www.php.net/mysql_real_escape_string) will protect you from SQL injection that relies on single, double quotes, backslashes, etc.. This will not protect against all injections(I will cover more soon), but should be used on ALL user input that will be stored in a database or used in a database query.
Next, always be sure to validate $_GET data such as an id. This is a critical mistake made by many web designers leaving them vulnerable to SQL injection given the right situation. To defeat this, you must ensure the data you receive is something you would expect. For example an id should only be numerical, and if any other characters are found then some sort of tampering has gone on. In situations where data is not correctly evaluated, users could manipulate the SQL query to undesirable results. In the worst case scenario you could end up with somebody changing http://site.com/?id=1&select=username to http://site.com/?id=1&select=password. Simply make sure to validate input and you will be fine.
htmlentities ($string, $options) (http://www.php.net/html_entities) is a function designed to help validate html data, reducing the risk of XSS. This function I recommend you run with the ENT_QUOTES option. ENT_QUOTES will convert quote(greater than and less than sighs too) into there entity form. This function should be run while sending data to users, and not before. That will reduce confusion of users editing there posts at a later time.
This is already a long post so here are my last few tips: *Watch out for remote and local file inclusion by filter $_GET data (or $_POST for that matter) which selects the page. *Be sure to filter email forms very carefully(see SMTP injection) *Make sure to filter for CSRF. (logout avatars are a good example of this) simply remember to scan for appropriate data *Log errors back to a log file, this can sometimes lead to clues where attackers are looking. Key errors to watch for will relate to mysql or include functions. *Consider asking for somebody to pen test your website or pay a professional to do it. *When using large products(like forum or blog system) google known vulnerabilities and fixes that may be required. *Monitor exploit sites periodically to watch for new exploits that could effect you. *Lastly, and most importantly, when in doubt ASK.
Hopefully this has helped and I have not wasted my time.
copies to clipboard incase I was logged out while typing :P
EDIT: Also keeping backups is a VERY wise idea.
S1L3NTKn1GhT wrote: Dude, theres no reason to share bs about how you feel discouraged. And likely, you'll be flamed for sharing it :p
We're all free to do or say whatever we want to. If he feels like complaining or just expressing his emotions, let him. Allow the world to live as it chooses, and allow yourself to live as you choose. :)
Always be sure to validate input data such as $_GET and $_POST, make it a habit checking $_SERVER too. If you only expect a certain data type or a set of values, use a predicate function or switch statement instead of any other cleaning function. This will allow you to be certain that it is indeed an integer or that it is "yes", "no" or "maybe".
Skunkfoot wrote: [quote]S1L3NTKn1GhT wrote: Dude, theres no reason to share bs about how you feel discouraged. And likely, you'll be flamed for sharing it :p
We're all free to do or say whatever we want to. If he feels like complaining or just expressing his emotions, let him. Allow the world to live as it chooses, and allow yourself to live as you choose. :) [/quote]
Wow.epic.LOL btw long time no chat skunk where ya been? Havnt seen ya on msn.
system_meltdown wrote: RMI? Lolwut?
I think he meant RFI.
As to the original post, as you are coding your website, don't worry too much about security. After you have your features ready just go back over each input and think of all possible exploits and fix 'em up.
You'' start out with weaknesses, but perfection is a work in progress.
This thread just gave me an interesting idea that would add on to the overall purpose of this site.
My idea is that after the completion of a challenge, maybe a few lines below the message that tells you how many points you have, it will tell you how to avoid having such a thing done to you.
ex: After completing a certain challenge, a very easy one, it would say, "Dont put important information into comments." Of course, with a little more detail depending on the complexity of the problem, lol.
so, rather that just learn how to do the exploit, you learn how to prevent it then and there as a reward for beating the challenge.
I mean, obviously this wouldn't work for ALL of the challenges because some of them seem to be more for fun or used to fuck the hell out of your brain, but the challenges that actually teach you how to use everday vulnerabilities would be nice. Rather than just discourage people like the original poster, and myself at times, actually TEACH how to avoid this shit.
Sure, you can google it and research it and learn all of the stuff on your own, but then, what's the point of this site? To redirect people? Or to help them?
sharline23 wrote: This thread just gave me an interesting idea that would add on to the overall purpose of this site.
My idea is that after the completion of a challenge, maybe a few lines below the message that tells you how many points you have, it will tell you how to avoid having such a thing done to you.
ex: After completing a certain challenge, a very easy one, it would say, "Dont put important information into comments." Of course, with a little more detail depending on the complexity of the problem, lol.
so, rather that just learn how to do the exploit, you learn how to prevent it then and there as a reward for beating the challenge.
I mean, obviously this wouldn't work for ALL of the challenges because some of them seem to be more for fun or used to fuck the hell out of your brain, but the challenges that actually teach you how to use everday vulnerabilities would be nice. Rather than just discourage people like the original poster, and myself at times, actually TEACH how to avoid this shit.
Sure, you can google it and research it and learn all of the stuff on your own, but then, what's the point of this site? To redirect people? Or to help them?
There was a website that I was at a while back like that, I think it may have been HTS but I can't remember. I think that it is a brilliant idea and should probably be posted in the comments and suggestions section.
Perhaps a new link under challenges "What have I learned?" or something(I am not creative with names :p), and it will show a break down the exploits you have found and a brief fix on each. Either that or the name of the exploit linked up to google :P
To sharline and p4, lots of <3 to you guys. Anyhow, not what I wanted to say. The general point and thought with the challenges is that you complete them because you know what you're doing and why it'd work. It's generally thought that if you know why an attack works, you will also be able to take up countermeasures to stop the type of attack, if stopping it is within your power. Basically it could be considered unnecessary to tell something that the person should already know by virtue of completing the challenge, and if the person had no idea what he or she was doing then some might consider the fact that they were told, not onlythe solution to the challenge, but also the prevention of how to do it, spoon feeding them. Also, if you have to go into an explanation about why it's stupid to put your goddamn password in plaintext comments for anyone to see, then there really is no hope for that person :P
COM wrote: To sharline and p4, lots of <3 to you guys. Anyhow, not what I wanted to say. The general point and thought with the challenges is that you complete them because you know what you're doing and why it'd work. It's generally thought that if you know why an attack works, you will also be able to take up countermeasures to stop the type of attack, if stopping it is within your power. Basically it could be considered unnecessary to tell something that the person should already know by virtue of completing the challenge, and if the person had no idea what he or she was doing then some might consider the fact that they were told, not onlythe solution to the challenge, but also the prevention of how to do it, spoon feeding them. Also, if you have to go into an explanation about why it's stupid to put your goddamn password in plaintext comments for anyone to see, then there really is no hope for that person :P
You have a very good argument and I see your point, and in most cases this holds quite true. However, many users here that are not acquainted with the major concepts of hacking and security may rely on google to help them find a particular exploit. Simply googling an exploit for this site doesn't do the user any good most of the time because that is the only place they ever really used it. Having a summary page of challenges you have completed may give you ideas for other challenges or make you want to review them(or further research it). I myself often redo many of the real missions I have already completed for extra retention of the used methods.
This is not something that will help all users, but it can help many. I am not saying that every challenge should generally have a 'review' at the end, for example stegano and encryption challenges should not need a review. While something like application cracking should, due to more than one solution being applicable in some cases.
That is my two cents either way I have no need for it, but that doesn't mean other users won't like it.
Just so you know, I'm not actually arguing against the idea, merely putting it into perspective. It's neither a good nor bad idea, it's a mediocre one that wouldn't do more damage than good. If developers really wish to put in the effort of going through with it, then sure. However, the main thing to consider is: anyone who has completed a challenge should at least know of the concept of what's being done, whether there are multiple solutions or not. Furthermore, anyone who's actually interested in knowing about it will look into it on their own, others will not do it either way.