My user system needs testing i just want to see how secure it is so can peeps try and break into it and then tell me where the flaws are ;D

Plus rep to all hacks

www.thehabbies.com/us/login.php (http://www.thehabbies.com/us/login.php) <--- for user system

(when you,if you need to, login you will have to refesh the page after you have logged in, minor glitch and when you use the back button onto the homepage you will need to refesh also)

When you hack in just do something noticeable like add loads of furni to the shop or sumin.

ps i know somelinks are duffed but that was a glitch from when I was building it. I will fix soon :D

techtuts, proberly easy to get into ?:P!
ill have a look :D

sessions?:D

use my skin script ;)!

Ive done every securing script for nereshs user system known to man :eusa_danc

muhahahahahah
not enough
hahahahahahahahahahahhaha
If you hack it i will actually cry
but you wont muhahaha
---------------------------------------------------------------------
Back on topic:

Skin script?
for user system?
on techtuts or habboxforum?

on tt ill post link hang on http://www.techtuts.com/forums/index.php?showtopic=4299
farp,'s sucks cos its just css mine actually owns all and mine was the original one :D

Im on ur admin account

EDIT: Its just an account som1s made :p lol

Try an IP login thing? You log the ip a person logs in, and if som1 trys loggin in on a diff IP, then you gotta request...


sumthin like that?

Im on ur admin account <3 :P

LOL
LOL, do stuff to prove it to him & explain how ;)

Ive editted... I look in members and the account is rank: member

Im sure you can geuss the pass for ADMIN... lol

Try an IP login thing? You log the ip a person logs in, and if som1 trys loggin in on a diff IP, then you gotta request...


sumthin like that?

i would but that would only wrk if someone has static ip

oh and yeh that password for the admin acc is easy to guess

Yh lol :p

heres a flaw

I typed in deposit credits or whatever: -9999999999999999, heres what i got back


You have successfully deposited -9999999999999 points!
You now have -1.0E+13 points deposited!

now i tried doing deposit 909999999999999


You have successfully deposited 909999999 points!
You now have -1237483649 points deposited!

edit: then i did withdraw


You have successfully withdrawn -99999999999999999999 points!
You now have 9.99999999988E+19 points deposited!

name of account i think i can see it your not giving yourself anything exactly :S

:S csomeones trting to input scripts as thier details :S

Lol thats called testing against xml (think thats it) attacks ;)
to stop a j/s attack i wud use preg replace thingy :D

I was testing against XSS attacks :)

I was testing against XSS attacks :)
thats the one ;)! knew it was x something ;)

has anyone hacked yet (apart from the cash thing whcih he has the same amount of cash anyways, he has negatives and positives which balence each other)

i tried using the old cookie exploit ;) which i see u fixed. did u use my script in da end

which one?

ps 200th post

on tt ill post link hang on http://www.techtuts.com/forums/index.php?showtopic=4299
farp,'s sucks cos its just css mine actually owns all and mine was the original one :D
that one ;)

oh might but I'm naff at making layouts though

If your server has magic quotes enabled, sql injection is like impossible.

one sec ill check i think i turned it off for a script i dont use

edit: turned magic quotes on ;D

Ive editted... I look in members and the account is rank: member

Im sure you can geuss the pass for ADMIN... lol
I couldnt guess it, Use a brute

oh no a brute will get it nooooooooooooooooo

lol im gonna add some extra security

im gonna add the 3 rong password lock out feature muhahahaha

ps new url

http://usersystem.habbies.com

URL doesn't work..

Yeah, link doesn't work.
-.-

really?

edit: woops

http://usersystem.thehabbies.com

srry keep on forgetting the 'The' part of 'The habbies'

sorry couldnt edit ;(

Notice:

There will be a lil down time for login

Hmm bit of an update

Working again

Auto redirect fixed



Ive been thinking of how to protect from a brute force attack on the admin accounts so here is what i think I will do

Step 1) Make all admin functions only accesable to localhost
Step 2) When admin logs in he will be redirected to a .htaccess protected proxy on localhost
Step 3) He will be then taken to another login page which will have a different passowrd and will not use normal password box but will use selcetion boxs (the round ones)
Step 4) They will be redirected to the admin section of the user system

The session will last a maximum of 5 minutes for admin

Is this a good way to protect from a brute force?

No.

You have to gauge between usability and security. Plus it is highly unlikely that the admin will be logging in from localhost anyway since that would require physical access or remote desktop access to that server (Assuming the server has the means to view internet pages as well).

Currently you have the administrator logging in three times before being granted access to the control panel, only to find our he has to re-login again after five minutes. If I was an administrator using this software I would be quite annoyed and frustrated by now.

I recommend you always re-authenticate the user after logging in before granting access to the admin control panel. If you plan to release it then leave the htaccess option to the end user as the end user may not want this additional delay to access the control panel or the user may not be using Apache as their webserver software.

The drop down menu pin-style login is totally un-needed. If you were to include it and release it to other people then I recommend you leave it disabled by default, but allow the end user to re-enable it is he so wishes.

Plus none of what you specified will actually prevent a brute force attack, only delay it. If you wish to prevent a brute force attack then you need some sort of detection to detect automated login attempts. Lets say the user gets the password wrong two times in a row. I would recommend that you delay the login by about 3-5 seconds - make it wait. This would slow down the brute force program tremendously as the whole idea of automated attacks is that its very fast. Next, after about five failed attempts, you should lockout the account for around ten minutes and use email or whatever to notify an administrator if the account that is locked out is another administrator. If you continue to get failed login attempts from the same IP address then I recommend you block that IP address for around 1 to 2 hours and, as above, notify the administrator.


Hmm bit of an update

Working again

Auto redirect fixed



Ive been thinking of how to protect from a brute force attack on the admin accounts so here is what i think I will do

Step 1) Make all admin functions only accesable to localhost
Step 2) When admin logs in he will be redirected to a .htaccess protected proxy on localhost
Step 3) He will be then taken to another login page which will have a different passowrd and will not use normal password box but will use selcetion boxs (the round ones)
Step 4) They will be redirected to the admin section of the user system

The session will last a maximum of 5 minutes for admin

Is this a good way to protect from a brute force?

Urm I dont think you quite understood,

this is a script for personal use that I needed testing for security

it is self hosted so localhost thing good!

Also I meant 5 minutes no action b4 session ends not 5minutes then stop

plus your idea was what I was originnly going to do but I had a problem that If somone tried the Admin to much then I wont be able to access for about ten mins

plus i didint know the that all brute forcers were cabable of filling in the circular selection box?