Author |
Topic: a request (online security) (Read 1905 times) |
|
maestro
Newbie
Gender: 
Posts: 3
|
 |
a request (online security)
« on: Jun 12th, 2003, 1:37am » |
 Quote  Modify
|
So I had to code a website for this security class that I'm taking and I'm really interested in exactly how secure the page is. I'm not sure if this is a good idea, but I'd like to ask if any of you can crack into the page that I wanted to protect.
As an introduction, I designed the site to protect a single webpage. Only authorized users that have registered with the site may access this page. Unauthenticated users who try to access the page by directly entering the page's url will find that they are denied access. Users must login at the main page to access the protected page.
The page that is being protected is: http://security03.servehttp.com/hw3/classified.php
The main login page can be found at:
http://security03.servehttp.com/hw3/index.php
And btw, I have posted source code for all of the pages I created. You can find a link to that at the main login page. Any comments or suggestions would be much appreciated! Thanks!
|
|
 IP Logged |
|
|
|
James Fingas
Uberpuzzler
Gender:
Posts: 949
|
|
Re: a request (online security)
« Reply #1 on: Jun 12th, 2003, 6:25am » |
Quote Modify
|
You shouldn't go hiding top secret military secrets on poorly secured pages  Clever people might discover them...
|
|
IP Logged |
Doc, I'm addicted to advice! What should I do?
|
|
|
Sir Col
Uberpuzzler
impudens simia et macrologus profundus fabulae
Gender:
Posts: 1825
|
|
Re: a request (online security)
« Reply #2 on: Jun 12th, 2003, 3:54pm » |
Quote Modify
|
Seems fairly secure, Maestro.
1) All the server paths are hard coded and you've not made the mistake of allowing query strings to direct paths.
2) All functions are defined within the main .php document. Using include files can be dangerous if you have a coding error as the server often reports the filename that has caused an error to the client and they can then view the source code of the file in a browser.
3) The use of session variables avoids hackers using external websites to manipulate form values and/or re-route headers to classified.php.
Perhaps...
1) Rather than store the password in plain text a preferred method is to use a one-way hash on the password; again, hard code the salt (I notice you had commented the crypt() function out, so you must have been thinking about it).
2) Log visitor's IP addresses to stop brute force attack on login.php.
|
|
IP Logged |
mathschallenge.net / projecteuler.net
|
|
|
maestro
Newbie
Gender:
Posts: 3
|
|
Re: a request (online security)
« Reply #3 on: Jun 18th, 2003, 5:08pm » |
Quote Modify
|
on Jun 12th, 2003, 3:54pm, Sir Col wrote:Seems fairly secure, Maestro.
1) All the server paths are hard coded and you've not made the mistake of allowing query strings to direct paths.
2) All functions are defined within the main .php document. Using include files can be dangerous if you have a coding error as the server often reports the filename that has caused an error to the client and they can then view the source code of the file in a browser.
3) The use of session variables avoids hackers using external websites to manipulate form values and/or re-route headers to classified.php.
Perhaps...
1) Rather than store the password in plain text a preferred method is to use a one-way hash on the password; again, hard code the salt (I notice you had commented the crypt() function out, so you must have been thinking about it).
2) Log visitor's IP addresses to stop brute force attack on login.php. |
|
Thanks so much! That was most helpful.
|
|
IP Logged |
|
|
|
|
RIDDLES SITE
WRITE MATH!
Home 
Help 
Search 
Members 
Login 
Register
Reply
Notify of replies
Send Topic
Print