Check for holes

**nicksalad** · 01-07-2011, 07:04 PM

Hi guys, I've created this little web entirely based on an ajax engine using jQuery library and a php backend, Please try to look for holes, code flaws or whatever you might think it should be changed/fixed.

I'm going to launch it pretty soon and well, it's my first website based 100% in ajax. I would hate to get hacked in the very first day lol, so any suggestions are very welcome!

Also tell me if i did a decent job "hiding" the js code. (for beginners ofc).

mucheat.com

Thanks!

**jscheuer1** · 01-08-2011, 07:33 AM

This (initially the only script on the page aside from jQuery):

Code:

<script type="text/javascript">
$(function(){$('#contentDiv').hide().load('content.php',{auth:'3b5dcd443e1900438759ecf1a70622b1'});});
</script>

Hides the content that presumably you want seen. Even if it weren't hidden (display: none), it would be black (default text color in most browsers) on black (the background set for the page in its stylesheet).

Which is what happens in Firefox as the response is:

Access Denied.

In IE 8 it 'works', but I get this cryptic error:

Object expected mucheat.com, line 111698757 character 1

I say cryptic because the file itself has only 33 lines. The error must be talking about the imported code.

**nicksalad** · 01-08-2011, 11:44 AM

So, is not that easy to see the code right? well, of course you can see it, since it's stored on the client pc, but not with View Source

And of course, when you access content.php directly, it says access denied since you haven't passed the auth hash.

**jscheuer1** · 01-08-2011, 12:42 PM

No. Even with the hash in Firefox it gives Access Denied. So the page is just not working at all in that browser. Gets stuck on the loading image. If it did work, it should be easy to see the script. IE is a special case because it doesn't show client side generated code in its developer tools. Firefox does.

And, as you say, the code is there somewhere, so can be gotten even in IE.

What's so special about the code that you have to break the page in Firefox in order to sort of hide it?

**traq** · 01-08-2011, 03:19 PM

I get past the loading image in Fx (3.6), but the page still says "Access Denied."

Why are you bothering to try to make this so complex? The end result - if you want a functional page - is always going to be the same: sending the code. So why introduce so much complexity?

**Schmoopy** · 01-08-2011, 03:50 PM

I suppose it's not a massive issue, but you can get around the 15 minute login ban by just clearing your cookies.

You could possibly change it to track the user's IP address instead?

As a side note, when your signing up, why does it wait 5 seconds before checking a username's availability? Am I missing something?

The site looks really good, very slick - the only criticism I would make is that there's perhaps too much going on, too many things sliding up and down and preloaders fading in and out.

Oh and just found a bug in firefox where if you view the source of the page, refresh that source while the page is still active and then click on any link, it will come back as "Access Denied".

**nicksalad** · 01-09-2011, 10:58 AM

Originally Posted by jscheuer1

No. Even with the hash in Firefox it gives Access Denied. So the page is just not working at all in that browser. Gets stuck on the loading image. If it did work, it should be easy to see the script. IE is a special case because it doesn't show client side generated code in its developer tools. Firefox does.

And, as you say, the code is there somewhere, so can be gotten even in IE.

What's so special about the code that you have to break the page in Firefox in order to sort of hide it?

I don't know how are you opening the page, but it certainly doesn't happen when you open it directly by just typing www.mucheat.com in your browser. I've tried with IE, FF, Opera, Safari and Chrome and it works in all. It doesn't say access denied, only says access denied when you try to access directly other files that you are not supposed to, like for example if you go to www.mucheat.com/content.php (that's normal behavior since I don't want users to access my files directly but only through index.php).

The code itself has nothing special, is just I don't want some ppl sniffing around, that's all, sniffing around -> might find holes or bugs that they might exploit later. So if you can keep everything as hidden as possible, then why not?

Originally Posted by traq

I get past the loading image in Fx (3.6), but the page still says "Access Denied."

Why are you bothering to try to make this so complex? The end result - if you want a functional page - is always going to be the same: sending the code. So why introduce so much complexity?

I'm using FF 3.6 as well and I have no problems or whatsoever.. And if you think sending a hash to a file in order for it to display it's content, or say access denied instead, well, then it's complex.

Originally Posted by Schmoopy

I suppose it's not a massive issue, but you can get around the 15 minute login ban by just clearing your cookies.

You could possibly change it to track the user's IP address instead?

As a side note, when your signing up, why does it wait 5 seconds before checking a username's availability? Am I missing something?

The site looks really good, very slick - the only criticism I would make is that there's perhaps too much going on, too many things sliding up and down and preloaders fading in and out.

Oh and just found a bug in firefox where if you view the source of the page, refresh that source while the page is still active and then click on any link, it will come back as "Access Denied".

About the login, yes you are right!! It does give you a cookie ban for 15 mins if you fail 3 times, but have you tried to clear cookies and keep on failing? let's say 7 more times?

This is how it works, It always records the IP when login fails, if IP fails 3 times, makes a cookie ban, that computer (usually will have to wait 15 mins) or just delete cookies ofc, but lets assume most users won't do that. If they do, when they reach to the 10th attempt, it will block you for good, even if you clear the cookies. I did it this way since some people will access the site from internet cafes, what if 1 person fails 3 times? then no one from the whole cafe would be able to log in. If 3 ppl fails 3 times within 15 mins.. well.. that's just too bad

It waits 5 seconds to prevent flooding, anyways it takes you more than 5 seconds to complete the whole form, so what's the rush? Now, let's say it didn't have to wait, you can just click on register and check again, register and again, and so on.. remember, every "check" is a connection to the db, which at the end of the day, if you have many users checking, it will surely affect the performance. It also has a similar system to the login, banning you for 15 mins after you check and x amount of times.

The access denied is because you changed the hash, and it just doesn't match with the one stored in your session, therefore it says access denied, just refresh page and would be fine. Anyway is not intended that the common user views the source.

Yeah, it might be a lil too complicated for what it does under the hood, but what I wanted to do, is provide the users with good usability, it's supposed to be easy to use, simple, and effective. And IMO, it does the job pretty well so far.

Also I'm not a designer so, I'm not expecting the design to be great

And the idea was to make it light, not many images, etc. Besides It also has a language engine in php, if you use images, well, you cannot translate these, can you? Well, you can always load different images, just a pain..

I've disabled the language engine for the moment because I still need to translate some lines.

Thanks to all of you for the testing and suggestions/comments. If you have more, please don't hesitate to post them!

**jscheuer1** · 01-09-2011, 02:44 PM

Even if I clear the cache and session cookies, paste the URL directly into the browser, it still just sits on that loading image for me in Firefox 3.6.13. If your inability to duplicate this is a reason to ignore it, please do so.

If someone can tell me what I need to do to see this 'work' in Firefox, let me know.

But the bottom line is that, as with all efforts to hide what you're doing from the user, you often end up hiding it so completely that it doesn't work at all in some cases. It also, even when it 'works', makes the code hard to diagnose and maintain, while at the same time makes the browser work harder than it has to in order to achieve the effect(s) you're after.

Added later - Also, as I was saying, any other browser other than IE where this 'works', will see the scripts in its diagnosis utility and can copy them. Opera does so here, using its Dragonfly utility. Chrome has a similar utility built in, though few seem to know about it. It probably can see the scripts too. If it loaded in Firefox, I'm sure I could easily get all the codes.

**nicksalad** · 01-09-2011, 06:47 PM

Originally Posted by jscheuer1

Even if I clear the cache and session cookies, paste the URL directly into the browser, it still just sits on that loading image for me in Firefox 3.6.13. If your inability to duplicate this is a reason to ignore it, please do so.

If someone can tell me what I need to do to see this 'work' in Firefox, let me know.

But the bottom line is that, as with all efforts to hide what you're doing from the user, you often end up hiding it so completely that it doesn't work at all in some cases. It also, even when it 'works', makes the code hard to diagnose and maintain, while at the same time makes the browser work harder than it has to in order to achieve the effect(s) you're after.

Added later - Also, as I was saying, any other browser other than IE where this 'works', will see the scripts in its diagnosis utility and can copy them. Opera does so here, using its Dragonfly utility. Chrome has a similar utility built in, though few seem to know about it. It probably can see the scripts too. If it loaded in Firefox, I'm sure I could easily get all the codes.

I'm sure you can, as I said 3 times earlier, since it's on the client's computer, it will always be seen. No matter what.

And well.. John.. I really don't know what to say.. seems like you are the only one who can't see it "working"... Maybe your FF is from a different "breed" or my "working" site doesn't want to "work" for you... Mysteries of javascript....

And btw, I still don't understand why the hyperlink from my first post was removed when some users have hyperlinks in their sigs... *wonders*

Thanks.

**traq** · 01-10-2011, 01:01 AM

Originally Posted by nicksalad

...if you think sending a hash to a file in order for it to display it's content, or say access denied instead, well, then it's complex.

Originally Posted by nicksalad

So if you can keep everything as hidden as possible, then why not?

I mean it in the relative sense; it's complex because it's unnecessary and offers no real protection.

It can be circumvented - the fact that "most" visitors will be stopped doesn't mean much; the few that are not stopped are the ones that you need to be worrying about. and if it's only running on your client's system, why do anything? there's a lot of drawbacks here (harder to troubleshoot, increased likelyhood of errors, etc.), and little (if any) gain.

I'm not trying to put down your work, I'm just not sure what you hope to accomplish.

Thread: Check for holes

Thread Tools

Search Thread

Check for holes

The Following User Says Thank You to Schmoopy For This Useful Post:

Bookmarks

Bookmarks

Posting Permissions