Can you guys have a go at attacking this login system?
[url]http://voltzgaming.com/dev/admin2.0/vgadmin/[/url]
Thanks in advance.
You should put some kind of big bold warning when logged in to delete the install folder if it exists.
[editline]14th March 2014[/editline]
[code]if ($version == $script) {
echo '
';[/code]
lol what
Oh it's part of the update script. SNIP. The install file is only there for debugging and testing the entire system, when it's finished the install directory will delete its self
Could not inject into it, im no shark at it but seems nice =)
What password hashing algorithm do you use? I may have a few inputs there.
If I told you, that wouldn't be hacking...
I'm not trying to hack it, I'm saying I may have a few inputs. Better safe than sorry.
Anyway, have a quick review of this to replace uniqid() while generating a hash, this way you get a true random string as uniqid() can be predictable and not completely random: [url]http://stackoverflow.com/a/401684/1765851[/url]
Yea we're storing RCON passwords. We already salt, :)
[QUOTE=Voltz;44264405]Yea we're storing RCON passwords. We already salt, :)[/QUOTE]
What's the algo then?
SHA-256
[URL="https://github.com/DomBlack/php-scrypt"]scrypt[/URL] seems to have been announced to be the safest way to hash passwords.
I found a quite interesting article where epixoip chewed through NTLM hashed passwords quite rapidly for a brute-force attack [URL="https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/"]here[/URL].
Either way, as long as you're not encrypting the password over hashing it, I'm happy! :downs:
Oh, it might also be worth mentioning that it's smarter to secure the location the passwords is stored over securing the actual passwords.
Looking forward to the end result!
Thought I'd check this out, even if it is old now but I've found a problem.
[quote]but don't worry it's [B]comming[/B].[/quote]
[QUOTE=Svenskunganka;44264825]Oh, it might also be worth mentioning that it's smarter to secure the location the passwords is stored over securing the actual passwords. [/QUOTE]
No, both things are equally important. The latter even more so. If your server [i]does[/i] get compromised, you want to make it as hard as reasonably possible for the attacker to get the passwords in plaintext.
Furthermore, it's far more easy to properly and safely store password hashes than to ensure that your server cannot be compromised. To achieve password security, it's enough to follow [url=https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet]reasonable guidelines[/url]. Securing your server, on the other hand, is a much more difficult task, as you need to make sure that [i]several[/i] applications open to the internet are definitely not vulnerable to attacks. And as zero-day vulnerabilities show, it isn't really possible to ensure this - after all, the attacker may have knowledge about a vulnerability that neither you nor the developers have.
Sorry, you need to Log In to post a reply to this thread.
