Topic: General Site Test

[tommyboy123x]

If you want true security you should be salting and md5ing/sha1 the passwords multiple times.

........which is what i am doing....

and passwords are in md5 + another enc type

it isn't live yet but the files on my computer right now use the multi-pass encryption - obviously the last is md5.  And yes when i say virtually uncrackable i mean it... try cracking  hash of a base64 string or sha1.  It is almost guarenteed to have something more than jusut lowercase letters on the home row, and last time i checked c&a takes around 1e100 years (+/- 1e100 years of course) to crack this.

I appreciate the help, but i already got that taken care of :-).

What i've come to see is that xss and sql injections are the most comon exploits - please correct me if i'm wrong.  To stop the xss, i would use some kind of code like (excuse the crudeness... and possible syntax errors)

Code: [Select]

if ((strstr($input, 'javascript') || strstr($input, 'void') || strstr($input, 'script') || strstr($input, 'http'))){
   //send the user back
   exit();
   }

or is there already a php function like mysql_real_escape_string?  I know about striptags, but does that cover it?

Also should it go

Code: [Select]

mysql_real_escape_string(strip_tags($input));

or

Code: [Select]

strip_tags(mysql_real_escape_string($input));

?


-Tom

[tommyboy123x]

for the tracker url's, is there a problem with having it not filter out things... i mean the url=xxx just takes the user to the offer... if they dont want to they dont have to do the offer... or are there other things that could screw the site up?

Thanks i'll get to work :-)

[tommyboy123x]

editing timed out - sry for double post

I fixed all the problems mentioned except for the signup fields (such as email, address, etc) for xss and the javascript injections / sql injections (w/ the search feature on the offers page)... if you end up finding something please post it :-)


edit:  basically anything aside from the signup page is what i believe to be secure.  I'll be fixing the signup page in a few minutes and i'll announce when it is "secure"

[tommyboy123x]

i love triple posting......


as far as i know, the sign up page is "secure" as well as everything else... obviously don't do anything to corrupt the db's, but if you can query the db's, its just as good but less harmful if its possible... if that makes any sense.

revised:
Sign up page xss
profile xss
tracker.php xss and exploits
search exploits

also i deleted the users "username" and "agentsteal" to clear out the old xss marquee's in the database... i figured it couldn't be good anyways :-P

[thryb]

What about peoples from canada? can't sign-up

[tommyboy123x]

no most of the offers are US only and it only adds fraud... might get around to putting in a thing for canada and other countries but right now, no one outside of the US