Ducksters the Man
Member
Ducksters the Man
palo
great post 1080p, I hope everyone reads that, because your dead on right!! Good Reading Material...
Phoenix Wright :D
BT Rep: +2
You can tell how secure a tracker is from their HTML code?
I am a exsellent speller and I use grammer very good.
www.arsebook.com
Originally Posted by KFlint
while agree with you post in general, this quote is completly wrong and makes me wonder if you know anything about programming...
I should point out that while no back end code is present, you can actually test whether a site is secure by analysing, then modifying, some elements of HTML.
I use a FireFox utility called hackbar, that allows me to modify the query string of, and reload, an HTML page. This means that I can detect if the code is secure.
An example of an old forum bug (hopefully sealed by now), is the quote bug, where you quote a message, which gives you an edit window. On the bugged version of TBS forums, you could modify the 'postid', and it would reload the specific post, and the 10 preceding posts of that thread. There were no checks to ensure that you had access to that specific thread.
Another way to determine if a site is secure is to play with the POST values, and see if you can access restricted areas.
Finally, cookies allow another entry into an insecure system.
Needless to say, a secure system will bounce you out if it detects that you are trying to access a restricted area. A secure system will also deal with SQL injection (which is achieved via HTML). A really secure system will also bounce malicious javascript.
You'd be surprised at how many systems I have been able to compromise, with just a simple bit of HTML modifying. Thankfully, most owners took on board my suggestions, and hardened their sites.
Well put.
Poster
BT Rep: +2
Damn 1080p! lol, I have to say again that I totally agree with you, but I was wondering how can you determine a site is well coded by only seeing at its html code?
You can't see the source code by right clicking a site, can you ???
Edit: I've just read some replies, but I'm still not convinced. You can really tell a site is not safe by looking at the html code (right click > view source) ?
Last edited by walkman79; 07-31-2008 at 10:04 PM.
...
BT Rep: +35
totally agree with you
I should point out that while no back end code is present, you can actually test whether a site is secure by analysing, then modifying, some elements of HTML.
I use a FireFox utility called hackbar, that allows me to modify the query string of, and reload, an HTML page. This means that I can detect if the code is secure.
An example of an old forum bug (hopefully sealed by now), is the quote bug, where you quote a message, which gives you an edit window. On the bugged version of TBS forums, you could modify the 'postid', and it would reload the specific post, and the 10 preceding posts of that thread. There were no checks to ensure that you had access to that specific thread.
Another way to determine if a site is secure is to play with the POST values, and see if you can access restricted areas.
Finally, cookies allow another entry into an insecure system.
Needless to say, a secure system will bounce you out if it detects that you are trying to access a restricted area. A secure system will also deal with SQL injection (which is achieved via HTML). A really secure system will also bounce malicious javascript.
You'd be surprised at how many systems I have been able to compromise, with just a simple bit of HTML modifying. Thankfully, most owners took on board my suggestions, and hardened their sites.
though i thought i was important to clarify this part
playing with input field, query string, hidden field are the way to break security, reading the html source in itself is worthless
(""\(O.o)/"")
BT Rep: +14
Excellent read
Ok i'd like to know why my name was mentioned?Yes i'v not made many posts here thats because i did'nt know about this site until recently.I'v been torrenting for many years lovethescene is built upon knowledge etc.All we are or at least try to be is a fun place.Go on have a laugh it's fine but some people actually do prefer the community side of things.And thats what lovethescene is built upon.It's not cool to run a torrent site lol it's just good fun.Meeting people from all over the world.
Last edited by Trancer; 08-11-2008 at 01:38 PM.
Poster
Guys i have been reading this thread carefully and although i agree with some of the statements i have to also disagree with some
Since owning a new tracker , i won't say what site as accused of promoting it , but when i decided it was with caution , i checked out what scripts where secure or had a good rep
I went with xbtit - my coder is on xbtit dev team , my staff are from good sites , one is Loaded , i am sure you guys know of him ?
I wrote down the pros and cons
It took a hell of a lot of researching before hand , even deciding what host to use etc
We have xbtit script and a cent 5 vps running linux using xbt backend , it has been tested to death against sql injections too - someone joked tbdev is better ha ha , not even going there
So why did we start one , easy no one does what we do just 1 topic , most sites are a mixture of things so someone had to and no we are not a music site , there is heaps of them
If it wasnt for the fact no one has what we do i would never have opened one , it is a loss from day 1 , it will take years for it to support itself financially , you will always run at a loss as no site unless thousands of members will cover it's costs in running it
Plus if you don't have a good staff or team behind you , you will fail , you need a damn good php coder, sysop , forum mods etc , without these don't even attempt to try it , you will be always updating your code , making new hacks or modifying them as your site grows , so if you are thinking about it , talk to other owners first , research what is needed , don't just do one everyone else is doing make it unique if you can , and above all do your research first
Apart from that some nice comments for and against , will keep reading replys
Posting Permissions
Reply With Quote
?
Bookmarks