| |
hedning
Registered: Mar 2009 Posts: 4747 |
Pewp is testing the database
If you see anything strange on CSDb these days, like XSS stuff and so on, weird code blobs etc, don't worry. pewp/G*P and Perff are testing the database and potential vulnerabilities. It is completely under control. |
|
... 1 post hidden. Click here to view all posts.... |
| |
Burglar
Registered: Dec 2004 Posts: 1114 |
thats good stuff, but did he really have to steal session cookies the other day? |
| |
chatGPZ
Registered: Dec 2001 Posts: 11442 |
*pinches gf's nipples* "i'm just testing something!" |
| |
pewp
Registered: Feb 2015 Posts: 3 |
Yes, i had to steal the session cookies (target was NOT everyone, but Perff. I only modified MY own profile and told Perff to visit my page while i had the JavaScript there. It was deleted as soon as we finished testing our stuff.
I wanted to see if the session cookie was assigned to a special IP number (which can be used to prevent session stealing), but a moderator cleared and took ownership of my profile before we could test this.
And trust me, im doing this to make CSDB better, not to cause any problems. You really want me to find these things before someone else does and actually starts causing problems.
I also invite anyone to join me in making CSDB better, if you want to participate in this security audit, let me know, or contact Perff.
Questions? |
| |
Burglar
Registered: Dec 2004 Posts: 1114 |
well, the account you created (with the XSS in the username) showed up on the homepage within minutes, and therefore it started cookie hijacking everybody visiting the homepage, not just Perff ;)
we found out pretty quickly and a mod took care of getting rid of the account, but I'm sure your server must've received multiple cookies from various users. If you didn't, the xss was buggy ;) |
| |
Burglar
Registered: Dec 2004 Posts: 1114 |
tip 1:
Add the HttpOnly flag to the cookies here, so even when there is an XSS flaw, your cookie cant be stolen that easily.
https://www.owasp.org/index.php/HTTPOnly
tip 2:
csdb is vulnerable to http-slow attacks, when executed it takes the site offline. can be fixed by putting a reverse proxy (eg varnish, and I guess nginx can handle it too) infront of csdb's apache/modphp. |
| |
Total Chaos
Registered: Mar 2006 Posts: 74 |
Pewp vs. Burglar - I want a demo about it!
;) |
| |
Mr.Ammo Account closed
Registered: Oct 2002 Posts: 228 |
If this testing is all about security, then please fix csdb.dk's certificate too. The one csdb is using now is not trusted by any web browser. You surely must have found this week spot during your security testing.
Perhaps https://letsencrypt.org/ might be a nice source to get a decent certificate. |
| |
pewp
Registered: Feb 2015 Posts: 3 |
Quote: well, the account you created (with the XSS in the username) showed up on the homepage within minutes, and therefore it started cookie hijacking everybody visiting the homepage, not just Perff ;)
we found out pretty quickly and a mod took care of getting rid of the account, but I'm sure your server must've received multiple cookies from various users. If you didn't, the xss was buggy ;)
Yes, i received a few cookies, but trust me, they are deleted and not saved. As i said, my intention was to make the site better. I have no interest in hijacking people.
We are doing this to improve security. |
| |
pewp
Registered: Feb 2015 Posts: 3 |
Quote: tip 1:
Add the HttpOnly flag to the cookies here, so even when there is an XSS flaw, your cookie cant be stolen that easily.
https://www.owasp.org/index.php/HTTPOnly
tip 2:
csdb is vulnerable to http-slow attacks, when executed it takes the site offline. can be fixed by putting a reverse proxy (eg varnish, and I guess nginx can handle it too) infront of csdb's apache/modphp.
Great tips and findings. We never went so far to look at those things, we started to look at the webapp itself.
I have requested the source code from Perff, still waiting for that. This makes things easier and then we wont accidentally target other users. |
| |
bugjam
Registered: Apr 2003 Posts: 2628 |
While you are at it, maybe you have an idea about the issue described here: http://csdb.dk/forums/?roomid=12&topicid=111723#111785 . The problem still persists, in a randowm manner: sometimes I can download a couple of different .d64 files without problem, then all of a sudden it "hangs" again with the last download - and all following d64 files that I download turn out to be that same last file. And then (again at random) it works again for a bit.
My IP was also clueless; the thing that I found out is that it depends on my IP address: when I go through a proxy, it works! Just a bit cumbersome that way... |
Previous - 1 | 2 - Next |