Using $_SESSIONS/COOKIES? Maybe u shud read this first.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Using $_SESSIONS/COOKIES? Maybe u shud read this first.

    Ayt. Intro: CSRF means Cross Site Request Forgery. In simple terms, sending forged BUT VALID requests to browsers. CSRF is hard to protect cuz it exploits the trust a server has 4 a user. Unlike other hacks, the victim actually initiates the attack sequence. For instance, if a useq is logged, an attacker cud send a valid request to the server through you.

    #2
    Targeted audience are usually usrs wit privileges like admins. A well constructed csrf attack could be catastrophic. Enough talk. I was at min0taur's w3sx.com, i logged in went to settings, edited my avatar to "http://ws3x.mobi/index.mat?do=logout" and nw ppl that visit my profile r logged out. I visitd retrivewap.co.za and put in my phone number
    Code:
    <img src="ownerproc.php?action=delu&who=1" alt=""/>
    and any owner who myt ave visitd me wud av deleted uid 1.(dnt wori rider, ive taken it off) i or any other hacker could easily make dat attack more fatal as i can make a wen.ru site and make u visit it. Or a topsite with a button thats SUPPOSED to enter bt in reality has "hidden inputs" aka u make nice post requests for me HOW DOES CSRF WORK ANYWAY AND WHATS THE PROTECTION. To be continued

    Comment


      #3
      Use php thumb
      or
      host your members images do not let your links to be image...

      I keep sayin this **** over and over noobs never learn at all !!
      Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
      Visit: WapMasterz Coming Back Soon!
      _______
      SCRIPTS FOR SALE BY SUBZERO
      Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
      FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
      _______
      Info & Tips
      php.net
      w3schools.com

      Comment


        #4
        How it works. Like i said u send requests for the hacker. When u visit a page that contains an image, d browser sends a get request for that image to d server along with the requested page. When a request is sent it contains the SESSION/COOKIE id. Since u visited the page, YOU MADE THE REQUEST from YOUR BROWSER, the request wil contain YOUR valid session/cookie, yes, ur very own . Nw take a look at d retrive wap attack, d owner sees the page, the browser sends a seperate request for the "image" and it sends his sid, the server usually treats requests the same way so, the page requested is processed with necessary permissions. Bt since its a img request, the page will return a broken image(with more imagnatin i cud make u even c a real image). The attack cud be pretty straight 4ward n tricky like usin d bbcode for url like [ url= ownerproc.php?action=delfrm&fid=1 ]SPAM ALERT[/ url]

        Comment


          #5
          Originally posted by subzero View Post
          Use php thumb
          or
          host your members images do not let your links to be image...

          I keep sayin this **** over and over noobs never learn at all !!
          really doesnt matter cuz i cud create an external site wit those image links and when u visit, it'll stil work d same way. Also if u have an xss hole like d two sites above, phpthumb wnt help u either

          Comment


            #6
            People sometimes run after hiding session id, for that they lean much upon the cookies to save the session id. They think that cookies is the best way to protect the session but in reality its not the case. Keep using the visible carry forward sesion ids or use two session ids, one in cookie and the the other the usual get via url stuff at a time. The attack cannot be replicated if external hotlinking of images is blocked and there is a redirector for out urls.
            tinyurl.com/earnbymobile
            Easy earning for Indians
            ---------------------
            Alternative mobile advertising network .. Minimum 100 USD pay / NET15 pay cycle, Good Brand, Best targeting for Android
            goo.gl/6vub3

            Comment


              #7
              Sample of request sent to web server
              Code:
              ...127.0.0.1 - - [06/Oct/2009:04:50:33 +01:00] "GET /ownerproc.php?action=delu&who=1 HTTP/1.1" ...

              Comment


                #8
                if the image content is changed to image even when trying to run a query string thru images it wont process so using something like phpthumb or another image processor will stop those kind attacks

                Comment


                  #9
                  i will test it on my site as i use cookies but im sure its safe

                  Comment


                    #10
                    That's why i'm making my site more secured..Minotaur and i have different use of cookies..lyk wat have u said, when u put the logout url as ur avatar..Every user wud be logged out..He has a poor codes in logout..Ryt?And regarding deletion of anything in a site..In my site, i'm working for a code that when some will delete something, he/she must confirm first if he/she really wants to delete it..That's simply like that..U will just think all u can to make ur site more secure..
                    Last edited by kiLLeR-eyEd_14; 07.10.09, 10:24.
                    My Blog: http://jhommark.blogspot.com
                    My Facebook: http://www.facebook.com/jhommark
                    My Official Site: http://www.undergroundweb.tk
                    My Community Site: http://undergroundwap.xtreemhost.com

                    Comment


                      #11
                      Phpthumb phpthumb blah blah blah, didnt url just hear what i said? I can make a wen.ru site wit d img tags and it will work. Theres usually only THREE ways to stay safe, 1. Try to block xss holes. 2. Use a csrf helper class, i'll paste mine when im dne wit d GNU licensce. 3. Avoid as much as u can using GET method for commands.

                      @killereyed, maybe i should show u a simple attack on ur site with it? You seem pretty confident of "PHPSESSID". You all are missing the main point: if the attacker creates d attack and views it, it may nt have much effect, he just nids u to view it. Last i checkd there r such holes in friendster dat allows u to view private photos, add urself to a persons list etc. Be wise, make research on wat i just said, neva be ova confident, u can neva be 100% secure bt at least be 80%.

                      Comment


                        #12
                        nother way is make say ur logout have a unique value added in cookie say dologout=1 add that as a $_SESSION variable then only if the cookie has that data will it logout its quite simple

                        Comment


                          #13
                          Originally posted by mobileGIGS View Post
                          Phpthumb phpthumb blah blah blah, didnt url just hear what i said? I can make a wen.ru site wit d img tags and it will work. Theres usually only THREE ways to stay safe, 1. Try to block xss holes. 2. Use a csrf helper class, i'll paste mine when im dne wit d GNU licensce. 3. Avoid as much as u can using GET method for commands.

                          @killereyed, maybe i should show u a simple attack on ur site with it? You seem pretty confident of "PHPSESSID". You all are missing the main point: if the attacker creates d attack and views it, it may nt have much effect, he just nids u to view it. Last i checkd there r such holes in friendster dat allows u to view private photos, add urself to a persons list etc. Be wise, make research on wat i just said, neva be ova confident, u can neva be 100% secure bt at least be 80%.
                          well yeah, friendster has a lot of it. Auto comments, auto add friend, auto join group, auto grant private album access, etc. But then, all those commands are not so fatal, those commands are visible client side, that we can be able to formulate a hole out of it. But we cant formulate attacks with admin privileges like that of the delete uid 1 on the sample. Since we do not know those commands. What im trying to say is, if you use a publicly released scripts like lavalair, then the only way to protect this from attacks like this is to change db tables prefix name, commands on owner,admin cpanel, it also be recommended to change the filename of those important files like config,core, admin tools, etc.. Now the attacker would be blind guessing..

                          Comment


                            #14
                            Originally posted by koizumi View Post
                            well yeah, friendster has a lot of it. Auto comments, auto add friend, auto join group, auto grant private album access, etc. But then, all those commands are not so fatal, those commands are visible client side, that we can be able to formulate a hole out of it. But we cant formulate attacks with admin privileges like that of the delete uid 1 on the sample. Since we do not know those commands. What im trying to say is, if you use a publicly released scripts like lavalair, then the only way to protect this from attacks like this is to change db tables prefix name, commands on owner,admin cpanel, it also be recommended to change the filename of those important files like config,core, admin tools, etc.. Now the attacker would be blind guessing..
                            yeh, i agree with you mate..And there's a lot of thing i'm doing to make them fool of guessing the exact url.,i do mod_rewriting for pretty urls..Etc.
                            My Blog: http://jhommark.blogspot.com
                            My Facebook: http://www.facebook.com/jhommark
                            My Official Site: http://www.undergroundweb.tk
                            My Community Site: http://undergroundwap.xtreemhost.com

                            Comment


                              #15
                              Its really nt hard 2 get urls thnx to google. Google dorks.

                              Comment

                              Working...
                              X