[RESOLVED] Hack my site

teamfox20

Hi there,

I am looking for people to try to hack into my website. Not to harm anything but just to see where I might need to up my security.

If you are interested please PM me.

dougal85

maybe its a set up 😛

don't tell me, i can guess... your website is amazon.com

teamfox20

lol...its not a setup...its my first complete site and I want to make sure its well protected against SQL injections and whatever else.

Too much code to post, its not 1 page its a full site.

If you guys dont trust me...do you know any companies in the business of testing website security?

dougal85

I was just teasing. I don't know any off hand - but google will probably be able to find you loads. They might charge lots.

You could always show us the code that is likely to have security problems. For example your database stuff and your POST/GET handling.

besides people would be more likely to have a stab at it if you just post the link

teamfox20

I dont want it to get cached and then give everyone in the whole world an incentive to hack me lol.

dougal85

thats the best way to test your security.

teamfox20

lol nah, trying to conduct business while 10,000 people are trying to hack me would not be fun.

halojoy

🙂
I have a few times invited people
to test some small application of mine for security.
Giving a link to my script.

So far, never anybody have brooke into.
But I guess it is no merit to hack a small site.
And hacking is not as easy in real life as in theory.

A good way, is to let your script give away as little info as possible.
About your site structure, files and folders.
And of course have vital data outside of webroot and/or protected by permissions.

It is a big surprise to me,
to find common databases have not encrypted tables files.

If you open MySQL / SQLite in your editor, you have the data there in plain text!
I can, to a bit, understand it with MySQL as this is 99% outside of website tree.
But if I have access to the PC where MySQL is located, it is no problem to get hold of the data fields.
Addresses, telephone numbers and whatever, except for password, that is md5.

In the case of SQLite, where many times data files are stored in web folders
it is difficult to understand why these files are not encrypted.

I use [man]mcrypt/man for my own data files, when I want security.
PHP MCrypt is so fast, there is hardly any time penalty for using it.
CBC block ciphers typically delay only 0.001 s per 25kByte.

Regards

MarkR

halojoy wrote:
to find common databases have not encrypted tables files.

There would be no advantage in them doing so; it would simply complicate the scheme and make it slower.

If you want the machine to boot unattended, the key would need to be stored somewhere.

If you open MySQL / SQLite in your editor, you have the data there in plain text!

You find an editor which will open my 32Gb mysql file, and you'll be laughing.

No, seriously, if you obtain physical access to our servers, you can have all the data. Good luck.

I can, to a bit, understand it with MySQL as this is 99% outside of website tree.

In most large applications on another machine, in some cases behind another firewall.

But if I have access to the PC where MySQL is located, it is no problem to get hold of the data fields.
Addresses, telephone numbers and whatever, except for password, that is md5.

The administrator could choose to put the mysql data files on an encrypted volume, but they'd then either have to type in a password/key on each boot, or have the key stored locally anyway to be unable to boot unattended.

In the case of SQLite, where many times data files are stored in web folders
it is difficult to understand why these files are not encrypted.

No, it is not difficult to understand. There is no motivation for them to be encrypted, only an idiot would give untrusted users access to their database storage files.

I use [man]mcrypt/man for my own data files, when I want security.
PHP MCrypt is so fast, there is hardly any time penalty for using it.
CBC block ciphers typically delay only 0.001 s per 25kByte.

That doesn't sound like a valid performance benchmark. In any case, encrypting the data in the application significantly breaks things, for example, database indexes no longer work correctly, it becomes impossible to access the data with third party applicatons (e.g. for data warehousing using third party reporting), disc , database or network compression works less well, the list goes on.

Your argument is entirely baseless.

Mark

laserlight

I have a few times invited people
to test some small application of mine for security.
Giving a link to my script.

So far, never anybody have brooke into.
But I guess it is no merit to hack a small site.
And hacking is not as easy in real life as in theory.

Have you offered a suitable reward for a security breach? Have you taken proper steps to indemnify those who would make such an attempt? Even if you have, has any security expert tried? Surely you cannot expect that people will stick their neck out for nothing.

It is a big surprise to me,
to find common databases have not encrypted tables files.

I do not find it surprising at all. For example, a database for forum software typically has little use for encryption. An e-commerce database would probably be better off with encryption, but even then not everything is likely to be sensitive enough to justify the overhead of encryption. Remember, encryption is just one layer of security.

If you open MySQL / SQLite in your editor, you have the data there in plain text!
I can, to a bit, understand it with MySQL as this is 99% outside of website tree.
But if I have access to the PC where MySQL is located, it is no problem to get hold of the data fields.
Addresses, telephone numbers and whatever, except for password, that is md5.

Indeed. Do you have access to the servers and the required privileges in the first place?

In the case of SQLite, where many times data files are stored in web folders
it is difficult to understand why these files are not encrypted.

SQLite has an encrypted version offered by its author, but that is proprietary. I would suggest that the problem lies in storing the database file within the document root. As you have pointed out, it is good practice not to do so.

Mulligan2007

Security Metrics comes to mind. They are located in Utah. $140 for a year's worth of security testing on a quaterly basis. They are part of the PCI compliance movement and are reliable. The system checks for all the known hack vulnerabilities for your IP and the site behind it.

Mulligan2007

Elizabeth

teamfox20 wrote:
...do you know any companies in the business of testing website security?

Have you taken a look at Chorizo? It scans your site for potential security holes, might be enough for you without having to pay for a full blown audit. Those are not cheap as far as I know.

Weedpacket

laserlight wrote:
halojoy wrote:
I have a few times invited people
to test some small application of mine for security.
Giving a link to my script.

So far, never anybody have brooke into.
But I guess it is no merit to hack a small site.
And hacking is not as easy in real life as in theory.

Have you offered a suitable reward for a security breach? Have you taken proper steps to indemnify those who would make such an attempt? Even if you have, has any security expert tried? Surely you cannot expect that people will stick their neck out for nothing.

Probably referring to this.