wu :: forums
« wu :: forums - a request (online security) »

Welcome, Guest. Please Login or Register.
Mar 28th, 2024, 9:04am

RIDDLES SITE WRITE MATH! Home Home Help Help Search Search Members Members Login Login Register Register
   wu :: forums
   riddles
   cs
(Moderators: towr, william wu, Grimbal, Eigenray, SMQ, Icarus, ThudnBlunder)
   a request (online security)
« Previous topic | Next topic »
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print
   Author  Topic: a request (online security)  (Read 1884 times)
maestro
Newbie
*





   


Gender: male
Posts: 3
a request (online security)  
« on: Jun 12th, 2003, 1:37am »
Quote Quote Modify Modify

So I had to code a website for this security class that I'm taking and I'm really interested in exactly how secure the page is.  I'm not sure if this is a good idea, but I'd like to ask if any of you can crack into the page that I wanted to protect.  
 
As an introduction, I designed the site to protect a single webpage.  Only authorized users that have registered with the site may access this page.  Unauthenticated users who try to access the page by directly entering the page's url will find that they are denied access.  Users must login at the main page to access the protected page.  
 
The page that is being protected is: http://security03.servehttp.com/hw3/classified.php
 
The main login page can be found at:
http://security03.servehttp.com/hw3/index.php
 
And btw, I have posted source code for all of the pages I created.  You can find a link to that at the main login page.  Any comments or suggestions would be much appreciated!  Thanks!
 
IP Logged
James Fingas
Uberpuzzler
*****





   
Email

Gender: male
Posts: 949
Re: a request (online security)  
« Reply #1 on: Jun 12th, 2003, 6:25am »
Quote Quote Modify Modify

You shouldn't go hiding top secret military secrets on poorly secured pages Wink Clever people might discover them...
IP Logged

Doc, I'm addicted to advice! What should I do?
Sir Col
Uberpuzzler
*****




impudens simia et macrologus profundus fabulae

   
WWW

Gender: male
Posts: 1825
Re: a request (online security)  
« Reply #2 on: Jun 12th, 2003, 3:54pm »
Quote Quote Modify Modify

Seems fairly secure, Maestro.
 
1) All the server paths are hard coded and you've not made the mistake of allowing query strings to direct paths.
2) All functions are defined within the main .php document. Using include files can be dangerous if you have a coding error as the server often reports the filename that has caused an error to the client and they can then view the source code of the file in a browser.
3) The use of session variables avoids hackers using external websites to manipulate form values and/or re-route headers to classified.php.
 
Perhaps...
1) Rather than store the password in plain text a preferred method is to use a one-way hash on the password; again, hard code the salt (I notice you had commented the crypt() function out, so you must have been thinking about it).
2) Log visitor's IP addresses to stop brute force attack on login.php.
IP Logged

mathschallenge.net / projecteuler.net
maestro
Newbie
*





   


Gender: male
Posts: 3
Re: a request (online security)  
« Reply #3 on: Jun 18th, 2003, 5:08pm »
Quote Quote Modify Modify

on Jun 12th, 2003, 3:54pm, Sir Col wrote:
Seems fairly secure, Maestro.
 
1) All the server paths are hard coded and you've not made the mistake of allowing query strings to direct paths.
2) All functions are defined within the main .php document. Using include files can be dangerous if you have a coding error as the server often reports the filename that has caused an error to the client and they can then view the source code of the file in a browser.
3) The use of session variables avoids hackers using external websites to manipulate form values and/or re-route headers to classified.php.
 
Perhaps...
1) Rather than store the password in plain text a preferred method is to use a one-way hash on the password; again, hard code the salt (I notice you had commented the crypt() function out, so you must have been thinking about it).
2) Log visitor's IP addresses to stop brute force attack on login.php.

 
 
Thanks so much!  That was most helpful.
IP Logged
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board