Blame the extensions (comic)
I found Security Vulnerability in your web application
Posted three years ago
I found Security Vulnerability in your web application. For security purpose can we report vulnerability here,then will i get bounty reward in PayPal or Bitcoin for Security bug ?Is it just me, or are security consultants swarming web sites, looking for bugs unasked, and emailing you demanding thousands of dollars in bounties for security flaws? If you search the web for the exact email above, you will get hundreds of hits. Whether the cost is to an unsolicited consultant, or due to a data breach, flaws in your product can be pricey. In this page, I'm going to write down some basic things to check in your website to make attacks harder, so at least you're not being shaken down for stupid mistakes.
I have ceased any bounty payments, because the things they generally find are not very likely to happen. I have to make a business decision: Do I want a perfect web application, or can I live with a few possible attacks? I am not Apple. I am not a bank. This is going to sound foolish, but at the end of the day I simply cannot afford to pay out half of my revenue each and every month for these things, because I still have to provide for my family.
Still, here is a list of the things I have learned. I am sure there is a larger list somewhere, but I have not found it.
Don't put sensitive information in URLs
When a user is logged in, what is in the URL at the top of the screen? Is there an identifier in there that should not be shared?- If the user pasted any URL on your site, while logged in, to Twitter, could anybody get access to something they should not? Could other users edit this user's files?
- If a script on your page that you have no control over reads window.location and sends it back to its creator, is this a problem?
Verify any information you include in generated emails
One consultant found a way to send password reset emails from me to any user, and replace the URL in the email with his own. How did he do this? Because I was lazy.In my code, I had abstracted the password reset emails into a reusable library. The code needed to know which web site it was resetting the password for when it created the email. So I just included it in the POST request. And this resulted in a costly bounty I had to pay.
Rate limit generated emails
On that note, can anyone make you send an unlimited number of emails? Any code that automatically sends an email needs rate limiting.
Prevent password guessing
It's a fact that most people's passwords can be guessed in less than 100 tries. That's why they should use a password manager and create longer and more random passwords.So one of the first things a consultant will do is figure out your API call to login and run it through their script file of passwords. If they don't get stopped right away, then this will result in a significant bounty.
You need to rate login attempts, in at least two ways. You should of course limit the attempts for a particular login name. But then the consultant will just cycle through different login names. You will need to also limit it based on IP address or other information as well.
Put limits on file uploads
Can you accept an image on your website? Do you resize it on the server? Great, let me dig out my 18 megapixel .png file for you. It's only 1KB so your code will accept it. Without proper checks, it will crash your server.Protect "secret" web urls
Do you have any secret web urls in your app for checking its status, or performing administration? Maybe you use go, and left in the code for /debug/pprof? All secret urls can be easily guessed using automated tools that just try every word or combination of characters and see if they get a 404 error.Assuming the consultant can list all the secret urls on your web site, can they do anything bad?
UI Redressing
If you allow your web site to be placed into an IFRAME it opens up a lot of attacks. If the attacker can trick a user into clicking on their url, then they will open up your web site inside their own page, and super-impose their login button over yours, and steal ther user's passwords.Of course, anyone can do this without the iframe permissions by creating an exact copy of your site. But the point is to make it a little harder for them. Here is some information on IFRAME breaking.
Steve Hanov makes a living working on
Rhymebrain.com,
rapt.ink,
www.websequencediagrams.com,
and Zwibbler.com. He lives in
Waterloo, Canada.
Post comment
edit
,#2]mATAn`Df0H$+@g-hAKY,oFWa\'+s:??+Auo`CEPoaFDPN6+>"^0H#dV/Er
eight months ago
=(Nb"AKYl/+EMXF@;]^hEcW@FD]ik7G%D"`Dfm1<DJs_AFD,5.Ecl20F!+n/A0>r3+CoC58K]ElD]hV#$:,eHF_kk:@rH4$Bln3'DKI7I+EqL-F<F.&D'3q6Bl7^#DJ()1AdV[ZFWbmHF_kT+-ZgJDATT&:BPDN1Ao_g,+CT/5+E)@8ATAo+Fa4<c+DQ%?F<Gd9DJil*FCf9)+F.mJ+D>;+A!qt+D,1rCh[d"$:f#VFC?;/@;BEsH#IgJF`(`$EcZ>2DIa)LAThX*+D5V1DIFZ#Bm+&1H#IgJF`7[_AThX*+D5V1DIFZ(ATT&?Dfm15Dg-(+:1T[EZf"5DJil*Ecl7B@<-:/DIakuDIal#ATMF'F<GjIFUClTG%G:B5_[*@3BDqCLnW6Dfm14Ed8!eAThX*+D5V1DIFZ/@<iu.Df9/qH"@=XAThX*+D5V1DIFZ0ASc0*@3BB#AKYE!A0>Q.Ec`FLDflCgALDY4+DYk5GAO7@:NsnDffZ(EZet4EZfFA+Dbt6B*qd[F`JU<ARTV$-Z^D>AS#a%@:NtbDJ(LC@Wcc8H#IgQEb-A8Df6b>BR(_BD]j+0Gp$gC+=M;>Gp$gC.1/XaF(o/r/0K.J+C]82BHV).Dg*=JBOQ!1F!+q'ASrW'DeX*%+E)-?-tdI4DJ()1DCGooAKYc+Dg*=GBOr<!@;TQu@;]TuG@`.BAKYW(DJil*E,8s.+DGp)6#L3UBkAK5Dfm12F))n8AKYZ)G9BI)D'3G%ASc'uB*q%FDC9NKFCf9)+Dk[4H#IgQEb-A8Df6b-Ch[ct+EVNEF(Jni:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4-r4bp/0JS>G%DeADfm1FE%),B:N'nt+D5D3AKZ8:FWbgG.1.J!DeLRB:1T[EZf"5DJil*B5)O#/0JhAG%G:B5_[*@3B2sG%DdEB5)O#+F.mJ+E_WP$7JgBIP'!AThX*+D5V1DIFZ#Bm+&=+Dtb6ATAo+Df0H$+D5D3AKWC6Bm+&1H#IgJF`8c:=(Nb&AKYc+Dg-(AART(^+E)@8ATAo*DfQtAD]ik7DJ';ZDfp(CBOtUmF=2,P@V'+g+CSbnBl7Q7+C]J8+F.mJ-ZWc@FDl(?F(fhAFDi:C@<iu0F<DuRD]j+0Gp$gC.1/XaF(o/r/0K.J+C]82BHV).Dg*=JBOQ!1F!+q'ASrW'DeX*%+E)-?-tdI4DJ()1DCGooAKYc+Dg*=GBOr<!@;TQu@;]TuG@`.BAKYW(DJil*E,8s.+DGp)8K_bjF*&OK@;]sk+EV12C`n"AFWb@9G9BI)D'3G%ASc'uB*q.IFECq6D..3k+F.mJ+E_R4ATDj6@;]T_:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig4:1T[EZf"5DJil*B5)O#+F.mJ+E_W1:1T[EZf"5DJil*Ch7]2H#IgJA8c[0$;P/UATAo+Df0H$+EDUB+CT;/F`(_4@;]TuA7]gnEc`FLDflC^AThX*+D5V1DIFZ)@;BEsH#IgJ@rci%:1T[EZf"5DJil*F('>:B5_^!@X2Ml:1T[EZf"5DJil*FCf9)+CQC/Bk8DqDIal'F`MRHH#Ig
edit
SCAM
one year ago
Got scammed and lost all of your money? Well now you can lose MORE for just $199, BUY NOW at SCAM@SCAMMITY.SCAM!
edit
Peeter
two years ago
Hacking|Spamming|Carding|Spying|Cloning Tools & Tutorials
SSN|DOB|DL fullz in Bulk quantity
High Credit Scores Pros 700+
CCNumber|CVV|MM|YYYY|NAME|ADDRESS|SSN|DOB Fullz in bulk
---------------------------------------
ICQTG @killhacks
WA +92 317 272 1122
exploit.tools4u at gmail dot com
@peeterhacks SKYPE/WICKR
---------------------------------------
Fresh, Genuine & Legit Stuff
Freshly spammed from Credit bureau of USA
Stuff will be deliver in mins
Many legit tools are available
Cheap prices from another vendors
Just try our services once
Thanks
edit
Peeter
two years ago
Hacking|Spamming|Carding|Spying|Cloning Tools & Tutorials
SSN|DOB|DL fullz in Bulk quantity
High Credit Scores Pros 700+
CCNumber|CVV|MM|YYYY|NAME|ADDRESS|SSN|DOB Fullz in bulk
---------------------------------------
ICQTG @killhacks
WA +92 317 272 1122
exploit.tools4u at gmail dot com
@peeterhacks SKYPE/WICKR
---------------------------------------
Fresh, Genuine & Legit Stuff
Freshly spammed from Credit bureau of USA
Stuff will be deliver in mins
Many legit tools are available
Cheap prices from another vendors
Just try our services once
Thanks
Fun with Colour Difference
Are you looking for a nifty way to choose colours that stand out? Are you the type of person who is not satisfied until you have mathematically proven that your choice is optimal?Using the Acer Aspire One as a web server
A netbook can be ideal for a home web server. They are cheap, and use less power
than a CFL light bulb.
Give your Commodore 64 new life with an SD card reader
Dust off your old Commodore 64, and you could be the coolest kid on the block by plugging SD cards into it instead of floppies.
UMA Questions Answered
A bunch of questions answered about UMA wireless technology.20 lines of code that will beat A/B testing every time
A/B testing is used far too often, for something that performs so badly. It is defective by design: Segment users into two groups. Show the A group the old, tried and true stuff. Show the B group the new whiz-bang design with the bigger buttons and slightly different copy. After a while, take a look at the stats and figure out which group presses the button more often. Sounds good, right? The problem is staring you in the face. It is the same dilemma faced by researchers administering drug studies. During drug trials, you can only give half the patients the life saving treatment. The others get sugar water. If the treatment works, group B lost out. This sacrifice is made to get good data. But it doesn't have to be this way.
Throw away the keys: Easy, Minimal Perfect Hashing
Perfect hashing is a technique for building a hash table with no collisions in the minimum possible space. They are a easy to build with this simple python function.
Keeping Abreast of Pornographic Research in Computer Science
Burgeoning numbers of Ph.D's and grad students are choosing to study pornography. Techniques for the analysis of "objectionable images" are gaining increased attention (and grant money) from governments and research institutions around the world, as well as Google. But what, exactly, does computer science have to do with porn? In the name of academic persuit, let's roll up our sleeves and plunge deeply into this often hidden area that lies between the covers of top-shelf research journals.