I found Security Vulnerability in your web application
Posted two years ago
I found Security Vulnerability in your web application. For security purpose can we report vulnerability here,then will i get bounty reward in PayPal or Bitcoin for Security bug ?Is it just me, or are security consultants swarming web sites, looking for bugs unasked, and emailing you demanding thousands of dollars in bounties for security flaws? If you search the web for the exact email above, you will get hundreds of hits. Whether the cost is to an unsolicited consultant, or due to a data breach, flaws in your product can be pricey. In this page, I'm going to write down some basic things to check in your website to make attacks harder, so at least you're not being shaken down for stupid mistakes.
I have ceased any bounty payments, because the things they generally find are not very likely to happen. I have to make a business decision: Do I want a perfect web application, or can I live with a few possible attacks? I am not Apple. I am not a bank. This is going to sound foolish, but at the end of the day I simply cannot afford to pay out half of my revenue each and every month for these things, because I still have to provide for my family.
Still, here is a list of the things I have learned. I am sure there is a larger list somewhere, but I have not found it.
Don't put sensitive information in URLs
When a user is logged in, what is in the URL at the top of the screen? Is there an identifier in there that should not be shared?- If the user pasted any URL on your site, while logged in, to Twitter, could anybody get access to something they should not? Could other users edit this user's files?
- If a script on your page that you have no control over reads window.location and sends it back to its creator, is this a problem?
Verify any information you include in generated emails
One consultant found a way to send password reset emails from me to any user, and replace the URL in the email with his own. How did he do this? Because I was lazy.In my code, I had abstracted the password reset emails into a reusable library. The code needed to know which web site it was resetting the password for when it created the email. So I just included it in the POST request. And this resulted in a costly bounty I had to pay.
Rate limit generated emails
On that note, can anyone make you send an unlimited number of emails? Any code that automatically sends an email needs rate limiting.
Prevent password guessing
It's a fact that most people's passwords can be guessed in less than 100 tries. That's why they should use a password manager and create longer and more random passwords.So one of the first things a consultant will do is figure out your API call to login and run it through their script file of passwords. If they don't get stopped right away, then this will result in a significant bounty.
You need to rate login attempts, in at least two ways. You should of course limit the attempts for a particular login name. But then the consultant will just cycle through different login names. You will need to also limit it based on IP address or other information as well.
Put limits on file uploads
Can you accept an image on your website? Do you resize it on the server? Great, let me dig out my 18 megapixel .png file for you. It's only 1KB so your code will accept it. Without proper checks, it will crash your server.Protect "secret" web urls
Do you have any secret web urls in your app for checking its status, or performing administration? Maybe you use go, and left in the code for /debug/pprof? All secret urls can be easily guessed using automated tools that just try every word or combination of characters and see if they get a 404 error.Assuming the consultant can list all the secret urls on your web site, can they do anything bad?
UI Redressing
If you allow your web site to be placed into an IFRAME it opens up a lot of attacks. If the attacker can trick a user into clicking on their url, then they will open up your web site inside their own page, and super-impose their login button over yours, and steal ther user's passwords.Of course, anyone can do this without the iframe permissions by creating an exact copy of your site. But the point is to make it a little harder for them. Here is some information on IFRAME breaking.
Steve Hanov makes a living working on
Rhymebrain.com,
rapt.ink,
www.websequencediagrams.com,
and Zwibbler.com. He lives in
Waterloo, Canada.
Post comment
edit
,#2]mATAn`Df0H$+@g-hAKY,oFWa\'+s:??+Auo`CEPoaFDPN6+>"^0H#dV/Er
four months ago
=(Nb"AKYl/+EMXF@;]^hEcW@FD]ik7G%D"`Dfm1<DJs_AFD,5.Ecl20F!+n/A0>r3+CoC58K]ElD]hV#$:,eHF_kk:@rH4$Bln3'DKI7I+EqL-F<F.&D'3q6Bl7^#DJ()1AdV[ZFWbmHF_kT+-ZgJDATT&:BPDN1Ao_g,+CT/5+E)@8ATAo+Fa4<c+DQ%?F<Gd9DJil*FCf9)+F.mJ+D>;+A!qt+D,1rCh[d"$:f#VFC?;/@;BEsH#IgJF`(`$EcZ>2DIa)LAThX*+D5V1DIFZ#Bm+&1H#IgJF`7[_AThX*+D5V1DIFZ(ATT&?Dfm15Dg-(+:1T[EZf"5DJil*Ecl7B@<-:/DIakuDIal#ATMF'F<GjIFUClTG%G:B5_[*@3BDqCLnW6Dfm14Ed8!eAThX*+D5V1DIFZ/@<iu.Df9/qH"@=XAThX*+D5V1DIFZ0ASc0*@3BB#AKYE!A0>Q.Ec`FLDflCgALDY4+DYk5GAO7@:NsnDffZ(EZet4EZfFA+Dbt6B*qd[F`JU<ARTV$-Z^D>AS#a%@:NtbDJ(LC@Wcc8H#IgQEb-A8Df6b>BR(_BD]j+0Gp$gC+=M;>Gp$gC.1/XaF(o/r/0K.J+C]82BHV).Dg*=JBOQ!1F!+q'ASrW'DeX*%+E)-?-tdI4DJ()1DCGooAKYc+Dg*=GBOr<!@;TQu@;]TuG@`.BAKYW(DJil*E,8s.+DGp)6#L3UBkAK5Dfm12F))n8AKYZ)G9BI)D'3G%ASc'uB*q%FDC9NKFCf9)+Dk[4H#IgQEb-A8Df6b-Ch[ct+EVNEF(Jni:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4-r4bp/0JS>G%DeADfm1FE%),B:N'nt+D5D3AKZ8:FWbgG.1.J!DeLRB:1T[EZf"5DJil*B5)O#/0JhAG%G:B5_[*@3B2sG%DdEB5)O#+F.mJ+E_WP$7JgBIP'!AThX*+D5V1DIFZ#Bm+&=+Dtb6ATAo+Df0H$+D5D3AKWC6Bm+&1H#IgJF`8c:=(Nb&AKYc+Dg-(AART(^+E)@8ATAo*DfQtAD]ik7DJ';ZDfp(CBOtUmF=2,P@V'+g+CSbnBl7Q7+C]J8+F.mJ-ZWc@FDl(?F(fhAFDi:C@<iu0F<DuRD]j+0Gp$gC.1/XaF(o/r/0K.J+C]82BHV).Dg*=JBOQ!1F!+q'ASrW'DeX*%+E)-?-tdI4DJ()1DCGooAKYc+Dg*=GBOr<!@;TQu@;]TuG@`.BAKYW(DJil*E,8s.+DGp)8K_bjF*&OK@;]sk+EV12C`n"AFWb@9G9BI)D'3G%ASc'uB*q.IFECq6D..3k+F.mJ+E_R4ATDj6@;]T_:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig
edit
SCAM
one year ago
Got scammed and lost all of your money? Well now you can lose MORE for just $199, BUY NOW at SCAM@SCAMMITY.SCAM!
edit
Peeter
one year ago
Hacking|Spamming|Carding|Spying|Cloning Tools & Tutorials
SSN|DOB|DL fullz in Bulk quantity
High Credit Scores Pros 700+
CCNumber|CVV|MM|YYYY|NAME|ADDRESS|SSN|DOB Fullz in bulk
---------------------------------------
ICQTG @killhacks
WA +92 317 272 1122
exploit.tools4u at gmail dot com
@peeterhacks SKYPE/WICKR
---------------------------------------
Fresh, Genuine & Legit Stuff
Freshly spammed from Credit bureau of USA
Stuff will be deliver in mins
Many legit tools are available
Cheap prices from another vendors
Just try our services once
Thanks
edit
Peeter
one year ago
Hacking|Spamming|Carding|Spying|Cloning Tools & Tutorials
SSN|DOB|DL fullz in Bulk quantity
High Credit Scores Pros 700+
CCNumber|CVV|MM|YYYY|NAME|ADDRESS|SSN|DOB Fullz in bulk
---------------------------------------
ICQTG @killhacks
WA +92 317 272 1122
exploit.tools4u at gmail dot com
@peeterhacks SKYPE/WICKR
---------------------------------------
Fresh, Genuine & Legit Stuff
Freshly spammed from Credit bureau of USA
Stuff will be deliver in mins
Many legit tools are available
Cheap prices from another vendors
Just try our services once
Thanks
Experiment: Deleting a post from the Internet
Once you post something on the Internet, it is hard to get rid of it. As an experiment, I deleted one of my past posts, and I tried to remove all traces of it.
Email Etiquette
If you begin your emails with "Hi, <name>!" then they will seem less rude.Is 2009 the year of Linux malware?
Is 2009 the year of the linux desktop malware? How long until we see headlines like, "Researchers find massive botnet based on linux 2.30"?
Game Theory, Salary Negotiation, and Programmers
When you get a new job, you can breathe a sigh of relief, but not for long. You have an offer letter in your hand, and it is easy to miss one of the most important opportunities of your life: the starting salary. Here's what to do to increase your chances.cairo blur image surface
This really should have been included in cairo. Instead, everyone that wants to have shadows has to roll their own blur function. Here's my take on it. I'll even release this into the public domain.
A Quick Measure of Sortedness
How do you measure the "sortedness" of a list? There are several ways. In the literature this measure is called the "distance to monotonicity" or the "measure of disorder" depending on who you read. Here, I propose another measure for sortedness.