Website Security

  • rive0108
  • Born
  • Born
  • rive0108
  • Posts: 4

Post 3+ Months Ago

I am new here and I am the owner/admin/webmaster of Havoc Arcade (you can Google/YAHOO/Bing it to see url)- Evidently I cannot post a url

There are three parts to my site- Gaming/Videos/Movies (main site), a Forums/downloads section, and a (/xfs) File Hosting/Sharing section (which is currently restricted to authorized users)


Attachments:
havoc.jpg


I painstakingly hardened my site against unauthorized access using .htaccess Options all Indexes directives, Options -ExecCGI, etc

I also use password hashes that are double salted (salt and pepper) SHA1.
salts are alphpa-numeric, sysmbol, spacing, upper/lower case and completely random in excess of 20 char.

All the scripting has been hardened, and imputable data fields have been santized before it hits the database. Even though I know it can never be 100% I feel pretty confident, that I am not vulnerable to SQLi, XSS, RFI, other injections, as well as unauthorized file/directory access.
Even if the Admin account could be "brute Forced" and/or otherwise comprimised, they cant gain admin or file manager acccess (have priviledges the same as any other user), without going through a second authorization that is even longer and more random...

Can I get some feedback on my site's security?

Thanks!
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Sounds like you have done many of the right things. Can I ask you a few basic things, it sounds like you may be using some sort of server based scripting language such as PHP? and since you mentioned SQL, maybe something like MySQL. So if that is the case your site has dynamically generated content, and possibly logins for your users since you mentioned password hashes.

If I am right on all of the above, did you custom write everything? or are you using any particular backend software to help run your website?

When I visited your website I do notice everything is ending in .html, which could mean they are static pages, but more likely you are just using Apache Mod Rewrite and everything is dynamically generated using PHP and MySQL? Am I correct here?

Also I visited your forum, and do to the way the URLs are there I am guessing you are using phpBB. Correct?
  • rive0108
  • Born
  • Born
  • rive0108
  • Posts: 4

Post 3+ Months Ago

Bigwebmaster wrote:
Sounds like you have done many of the right things. Can I ask you a few basic things, it sounds like you may be using some sort of server based scripting language such as PHP? and since you mentioned SQL, maybe something like MySQL. So if that is the case your site has dynamically generated content, and possibly logins for your users since you mentioned password hashes.

If I am right on all of the above, did you custom write everything? or are you using any particular backend software to help run your website?

When I visited your website I do notice everything is ending in .html, which could mean they are static pages, but more likely you are just using Apache Mod Rewrite and everything is dynamically generated using PHP and MySQL? Am I correct here?

Also I visited your forum, and do to the way the URLs are there I am guessing you are using phpBB. Correct?



My forum is modified phpbb, my main site is php with mod_rewrite that I rewrote myself, and with the assistance of others. /xfs is pretty much a unmodified file sharing script that I use for my uploads/downloads in my forum, but that also doubles as a means to import large files to the server itself. (i never use FTP).

I could be wrong, but I doubt that anyone can break my site, but it can never hurt to get a second opinion. ;)
  • VPSWebServer
  • Newbie
  • Newbie
  • VPSWebServer
  • Posts: 5

Post 3+ Months Ago

Looks nice site, by far, I know phpBB is vulnerable to other board system, being error-free, and already contiguous URL fixed to access admin cPanel and other areas, really make me feel that site could be hacked.
  • rive0108
  • Born
  • Born
  • rive0108
  • Posts: 4

Post 3+ Months Ago

VPSWebServer wrote:
Looks nice site, by far, I know phpBB is vulnerable to other board system, being error-free, and already contiguous URL fixed to access admin cPanel and other areas, really make me feel that site could be hacked.



Yes well, there are many phpbb "known" vulnerabilities- feel free to test them. Most if not all "exploits" will fail as the primary CMS isnt phpbb, and I do not run an integration bridge between the two. The phpbb runs as an independent subdirectory only, with no tie in to the main CMS. I can guarantee you that my passwords for admin management cannot be "brute forced".

To break the site you will need to break the main content management system- this is fully hardened, and exploiting it cannot be done by the average skid. Also, Admin access requires two levels of authentication- both not vulnerable to brute forcing, and both very different and random exceeding 20 char.

If you think the site can be hacked, then show me.

ps- the main CMS is not WP (I can see by the logs that many assume it is, but it isnt. All WP-based exploits will be inefective.)
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9090
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

You are most likely in good shape then, sounds like you have done many things to harden your website, good job :)
  • Fosco999
  • Newbie
  • Newbie
  • Fosco999
  • Posts: 14

Post 3+ Months Ago

Please let me know if you are still interested in analyzing your site for vulnerabilities.

Kindest Regards,
  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Download Nessus, pick the appropriate modules and/or write some of your own plugins. Run it against your site.

That should give you a good idea if you are vulnerable to the low hanging fruit out there. Good place to start.
  • Fosco999
  • Newbie
  • Newbie
  • Fosco999
  • Posts: 14

Post 3+ Months Ago

Nessus only checks for server vulnerabilities and I'm pretty sure it doesn't test web-applications, and that is what riv needs..
  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Fosco999 wrote:
Nessus only checks for server vulnerabilities and I'm pretty sure it doesn't test web-applications, and that is what riv needs..


You would be incorrect in that assumption. It checks all well known application environments (WebSphere, Tomcat, Oracle Fusion middleware, JBoss, java runtimes, IIS Logic, MDAC, NetBeans, etc. The list goes on, and that is just the available plugins, of which there are 55,000 and growing. Where a deficiency exists, it is trivial to compose one's own NASL plugin to cover that user experience.

An additional benefit, is the active reporting modules, and timed delivery capabilities not to mention the other server functions such as email functions (Sendmail,Postgres, Exchange, etc), database integration, and a host of other externalized services often relied upon for modern dynamically created content.

It is one the staples of scan tools used where I work to ensure secure web environments.
  • Fosco999
  • Newbie
  • Newbie
  • Fosco999
  • Posts: 14

Post 3+ Months Ago

What you listed aren't web applications. I am talking about web applications that run within the "web application environments" that you listed.
  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Applications are as diverse as the developers who create them, however, they are in the best position understand the points of ingress and egress, demarcation, and communication paths employed by any application within an environment. Therefore they would be best suited to enhance the tool, using NASL to specify a plugin suited for a particular application. However, that is irrelevant. An application written for an existing environment (such as a JVM) can only service to offer access to a known exploit.
For example, an application is loosely written to permit unfettered select all access to a database, thereby causing a potential denial of service on the database via high consumption queries. The application is at fault for allowing the access, but the database is equally to blame for permitting any non root user access to non-specific queries.
A plugin meant to capture access authority for DB nodes, would have discerned that, and rendered the application's flaw irrelevant. Another example could potentially be that of garbage collection, common to any application run inside a java virtual environment. IN this case, the application doe snot talk to an exploitable sub-component, but it does rely upon the runtime environment. This is something that can be caught during load testing, which I certainly hope everyone does prior to deployment. Instance number three, session variables. Imagine that you have an application that makes use of session information within a cluster. To prevent session poisoning, first one must make sure the custom app does not permit extraneous access, however those are maintained by the runtime environment, not the app itself. Will any one tool capture every possibility? No, but I would argue that neither would every so-called security service provider. Given a lack of access to the apps source prior to compilation into an EAR or WAR file; I guarantee most businesses will not give that up, and even if they did, most enterprise class applications are hundreds of thousands of lines of code, branching off into multiple jars or API's.
It's called risk mitigation; the expense of what the information or the level of protection is worth. Even in my company, where we spend a million dollars like it's pocket change, every expense is processed through a matrix to determine mitigating response. Is the derived value worth the expense. In most cases, the guy who posed the question here will be able to determine with a high level of accuracy in the 90 percentile, that his environment is just fine using a free tool, and a little bit of time. The low hanging fruit will be handled.
The higher level guys, if they don't want to be stopped, they won't be regardless of anyone's actions.
  • fullscan63
  • Born
  • Born
  • fullscan63
  • Posts: 1

Post 3+ Months Ago

Hi
how to increase opencart security?
i protected my admin folder by password

Post Information

  • Total Posts in this topic: 13 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.