PDA

View Full Version : Check for holes



nicksalad
01-07-2011, 07:04 PM
Hi guys, I've created this little web entirely based on an ajax engine using jQuery library and a php backend, Please try to look for holes, code flaws or whatever you might think it should be changed/fixed.

I'm going to launch it pretty soon and well, it's my first website based 100% in ajax. I would hate to get hacked in the very first day lol, so any suggestions are very welcome!

Also tell me if i did a decent job "hiding" the js code. (for beginners ofc).

mucheat.com

Thanks!

jscheuer1
01-08-2011, 07:33 AM
This (initially the only script on the page aside from jQuery):


<script type="text/javascript">
$(function(){$('#contentDiv').hide().load('content.php',{auth:'3b5dcd443e1900438759ecf1a70622b1'});});
</script>

Hides the content that presumably you want seen. Even if it weren't hidden (display: none), it would be black (default text color in most browsers) on black (the background set for the page in its stylesheet).

Which is what happens in Firefox as the response is:


Access Denied.

In IE 8 it 'works', but I get this cryptic error:


Object expected mucheat.com, line 111698757 character 1

I say cryptic because the file itself has only 33 lines. The error must be talking about the imported code.

nicksalad
01-08-2011, 11:44 AM
So, is not that easy to see the code right? well, of course you can see it, since it's stored on the client pc, but not with View Source :)

And of course, when you access content.php directly, it says access denied since you haven't passed the auth hash.

jscheuer1
01-08-2011, 12:42 PM
No. Even with the hash in Firefox it gives Access Denied. So the page is just not working at all in that browser. Gets stuck on the loading image. If it did work, it should be easy to see the script. IE is a special case because it doesn't show client side generated code in its developer tools. Firefox does.

And, as you say, the code is there somewhere, so can be gotten even in IE.

What's so special about the code that you have to break the page in Firefox in order to sort of hide it?

traq
01-08-2011, 03:19 PM
I get past the loading image in Fx (3.6), but the page still says "Access Denied."

Why are you bothering to try to make this so complex? The end result - if you want a functional page - is always going to be the same: sending the code. So why introduce so much complexity?

Schmoopy
01-08-2011, 03:50 PM
I suppose it's not a massive issue, but you can get around the 15 minute login ban by just clearing your cookies.

You could possibly change it to track the user's IP address instead?

As a side note, when your signing up, why does it wait 5 seconds before checking a username's availability? Am I missing something?

The site looks really good, very slick - the only criticism I would make is that there's perhaps too much going on, too many things sliding up and down and preloaders fading in and out.

Oh and just found a bug in firefox where if you view the source of the page, refresh that source while the page is still active and then click on any link, it will come back as "Access Denied".

nicksalad
01-09-2011, 10:58 AM
No. Even with the hash in Firefox it gives Access Denied. So the page is just not working at all in that browser. Gets stuck on the loading image. If it did work, it should be easy to see the script. IE is a special case because it doesn't show client side generated code in its developer tools. Firefox does.

And, as you say, the code is there somewhere, so can be gotten even in IE.

What's so special about the code that you have to break the page in Firefox in order to sort of hide it?

I don't know how are you opening the page, but it certainly doesn't happen when you open it directly by just typing www.mucheat.com in your browser. I've tried with IE, FF, Opera, Safari and Chrome and it works in all. It doesn't say access denied, only says access denied when you try to access directly other files that you are not supposed to, like for example if you go to www.mucheat.com/content.php (that's normal behavior since I don't want users to access my files directly but only through index.php).

The code itself has nothing special, is just I don't want some ppl sniffing around, that's all, sniffing around -> might find holes or bugs that they might exploit later. So if you can keep everything as hidden as possible, then why not?


I get past the loading image in Fx (3.6), but the page still says "Access Denied."

Why are you bothering to try to make this so complex? The end result - if you want a functional page - is always going to be the same: sending the code. So why introduce so much complexity?

I'm using FF 3.6 as well and I have no problems or whatsoever.. And if you think sending a hash to a file in order for it to display it's content, or say access denied instead, well, then it's complex.


I suppose it's not a massive issue, but you can get around the 15 minute login ban by just clearing your cookies.

You could possibly change it to track the user's IP address instead?

As a side note, when your signing up, why does it wait 5 seconds before checking a username's availability? Am I missing something?

The site looks really good, very slick - the only criticism I would make is that there's perhaps too much going on, too many things sliding up and down and preloaders fading in and out.

Oh and just found a bug in firefox where if you view the source of the page, refresh that source while the page is still active and then click on any link, it will come back as "Access Denied".

About the login, yes you are right!! It does give you a cookie ban for 15 mins if you fail 3 times, but have you tried to clear cookies and keep on failing? let's say 7 more times? :)

This is how it works, It always records the IP when login fails, if IP fails 3 times, makes a cookie ban, that computer (usually will have to wait 15 mins) or just delete cookies ofc, but lets assume most users won't do that. If they do, when they reach to the 10th attempt, it will block you for good, even if you clear the cookies. I did it this way since some people will access the site from internet cafes, what if 1 person fails 3 times? then no one from the whole cafe would be able to log in. If 3 ppl fails 3 times within 15 mins.. well.. that's just too bad :)

It waits 5 seconds to prevent flooding, anyways it takes you more than 5 seconds to complete the whole form, so what's the rush? Now, let's say it didn't have to wait, you can just click on register and check again, register and again, and so on.. remember, every "check" is a connection to the db, which at the end of the day, if you have many users checking, it will surely affect the performance. It also has a similar system to the login, banning you for 15 mins after you check and x amount of times.

The access denied is because you changed the hash, and it just doesn't match with the one stored in your session, therefore it says access denied, just refresh page and would be fine. Anyway is not intended that the common user views the source.

Yeah, it might be a lil too complicated for what it does under the hood, but what I wanted to do, is provide the users with good usability, it's supposed to be easy to use, simple, and effective. And IMO, it does the job pretty well so far.

Also I'm not a designer so, I'm not expecting the design to be great ;) And the idea was to make it light, not many images, etc. Besides It also has a language engine in php, if you use images, well, you cannot translate these, can you? Well, you can always load different images, just a pain..

I've disabled the language engine for the moment because I still need to translate some lines.

Thanks to all of you for the testing and suggestions/comments. If you have more, please don't hesitate to post them!

jscheuer1
01-09-2011, 02:44 PM
Even if I clear the cache and session cookies, paste the URL directly into the browser, it still just sits on that loading image for me in Firefox 3.6.13. If your inability to duplicate this is a reason to ignore it, please do so.

If someone can tell me what I need to do to see this 'work' in Firefox, let me know.

But the bottom line is that, as with all efforts to hide what you're doing from the user, you often end up hiding it so completely that it doesn't work at all in some cases. It also, even when it 'works', makes the code hard to diagnose and maintain, while at the same time makes the browser work harder than it has to in order to achieve the effect(s) you're after.

Added later - Also, as I was saying, any other browser other than IE where this 'works', will see the scripts in its diagnosis utility and can copy them. Opera does so here, using its Dragonfly utility. Chrome has a similar utility built in, though few seem to know about it. It probably can see the scripts too. If it loaded in Firefox, I'm sure I could easily get all the codes.

nicksalad
01-09-2011, 06:47 PM
Even if I clear the cache and session cookies, paste the URL directly into the browser, it still just sits on that loading image for me in Firefox 3.6.13. If your inability to duplicate this is a reason to ignore it, please do so.

If someone can tell me what I need to do to see this 'work' in Firefox, let me know.

But the bottom line is that, as with all efforts to hide what you're doing from the user, you often end up hiding it so completely that it doesn't work at all in some cases. It also, even when it 'works', makes the code hard to diagnose and maintain, while at the same time makes the browser work harder than it has to in order to achieve the effect(s) you're after.

Added later - Also, as I was saying, any other browser other than IE where this 'works', will see the scripts in its diagnosis utility and can copy them. Opera does so here, using its Dragonfly utility. Chrome has a similar utility built in, though few seem to know about it. It probably can see the scripts too. If it loaded in Firefox, I'm sure I could easily get all the codes.

I'm sure you can, as I said 3 times earlier, since it's on the client's computer, it will always be seen. No matter what.

And well.. John.. I really don't know what to say.. seems like you are the only one who can't see it "working"... Maybe your FF is from a different "breed" or my "working" site doesn't want to "work" for you... Mysteries of javascript....

And btw, I still don't understand why the hyperlink from my first post was removed when some users have hyperlinks in their sigs... *wonders*

Thanks.

traq
01-10-2011, 01:01 AM
...if you think sending a hash to a file in order for it to display it's content, or say access denied instead, well, then it's complex.

So if you can keep everything as hidden as possible, then why not?
I mean it in the relative sense; it's complex because it's unnecessary and offers no real protection.

It can be circumvented - the fact that "most" visitors will be stopped doesn't mean much; the few that are not stopped are the ones that you need to be worrying about. and if it's only running on your client's system, why do anything? there's a lot of drawbacks here (harder to troubleshoot, increased likelyhood of errors, etc.), and little (if any) gain.

I'm not trying to put down your work, I'm just not sure what you hope to accomplish.

jscheuer1
01-10-2011, 01:28 AM
Well, the fact that it doesn't work in my Firefox should give you pause. My question as to how to get it to work was not directed only to you. If others in this thread have any ideas, I'm open to suggestion.

As I said though, in any browser other than IE it's relatively easy to get the code. So why risk breaking your site in some browsers just to hide the code from newbies who probably won't understand it anyway? Doing so also makes it harder to receive help with your code, and harder for you or anyone to keep track of it for future updates and changes.

About the moderation. I suppose it's my fault that I didn't respond to your PM (which was a little less than calm) about that. I guess that's why you're asking in the open forum about it. If you want to discuss it further send me a calmer PM. Please do not respond in public to what follows:

That moderation was just a warning, no points were issued. It was unclear to me at the time whether or not you were just trying to get your link out there or not. Try not repeating it. It was the fact that it appeared twice in one post that made me (and would probably make any moderator here) at least suspicious. I left the address there for anyone who cared to follow it. Some did.

About other members having links in their sigs - No one really is allowed. If you've been around long enough and have helped out, the moderators will at their discretion waive that rule.

nicksalad
01-10-2011, 06:30 AM
Well, the fact that it doesn't work in my Firefox should give you pause. My question as to how to get it to work was not directed only to you. If others in this thread have any ideas, I'm open to suggestion.

As I said though, in any browser other than IE it's relatively easy to get the code. So why risk breaking your site in some browsers just to hide the code from newbies who probably won't understand it anyway? Doing so also makes it harder to receive help with your code, and harder for you or anyone to keep track of it for future updates and changes.

About the moderation. I suppose it's my fault that I didn't respond to your PM (which was a little less than calm) about that. I guess that's why you're asking in the open forum about it. If you want to discuss it further send me a calmer PM. Please do not respond in public to what follows:

That moderation was just a warning, no points were issued. It was unclear to me at the time whether or not you were just trying to get your link out there or not. Try not repeating it. It was the fact that it appeared twice in one post that made me (and would probably make any moderator here) at least suspicious. I left the address there for anyone who cared to follow it. Some did.

About other members having links in their sigs - No one really is allowed. If you've been around long enough and have helped out, the moderators will at their discretion waive that rule.

It doesn't give me pause. As it didn't give me pause when I've decided to make it fully js based when some users doesn't have js enabled.. And that's a way bigger deal. Besides, the thing that according to you, makes it complicated (the initial .load that "hides" the stuff) IF that's the reason why you can't see the page properly with your firefox, then it's a jQuery issue, not my site's. So you should report it to jQuery.

I suppose we have different points of view.. And different needs as well. For me, hiding the simple stuff from the common user is vital. Keep in mind we are talking about a game's website, most users are teens with lots of time in their hands. Script kiddies who are desperate to get some attention, and those are always the ones messing around. (on this type of scenario at least). Of course I should be afraid of the big ones, as everyone should. After all, No one, and let me repeat it, NO ONE is immune to get hacked. No site is 100% secure, there's always someone who will crack your nut.

But at least, those hackers wannabes, which are about 90% of the real threat, will have a harder time to understand how it works. That's my goal.

And why you think it wasn't calm? because of the "Are you kidding me?", I was very much calm, and serious, since it was you the one who asked me earlier to post a link to my site. And sorry, but there wasn't anything doubled. Anyway, whatever about that, let it be. You can just close this thread if that makes you happy :)

It's kinda funny, only one person actually tested stuff. The rest just sticked with the "too complicated" and left. And really, what's wrong with complicated? I wanted it that way, so let it be. Basically the purpose is achieved, it stops most ppl from digging around.

Take it easy.