So, I have a test box running at [URL removed for safety] I know the thing has been breached from some otherwise spooky behavior, but the security team needs convincing. I don’t even need to know how, but can someone back me up here? I’m a research programmer, not a hacker. I need this so I can get permission to notify users that their accounts have been breached.
Please keep to read only access. There is no good backup of that code anywhere. I’ve been trying to fix things up, but there is so much to fix…
A. No
B. That’s not your server.
C. You don’t have backups?
D. Not even a “hi from l1t” tagon the site?
Come on.
2 Likes
The production server is [URL removed for safety]
for all intents and purposes it is
I’m working on it, but bio people think copying files next to eachother counts as backups
I can add it if you want?
Check now at the main page. Message added.
why don’t you explain what it is you think is broken/vulnerable?
I think the entire site is vulnerable to php and sql injection. I’ve seen no input validation anywhere. But my forte is with C++ programming and systems, not web development. I can’t narrow down much beyond the very premise of the site I think is immediately broken.
that’s hardly an explanation : )
in broad strokes,
-
“php injection” is unlikely, unless you’ve got code which uses
eval, write files from user input, or allow uploads and store those uploads in a web-accessible place. -
“sql injection” is more likely. look at the code which interacts with the database. What database? does it use prepared statements and parameterized queries? does it use proper escaping?
It’s not possible to be more certain without auditing the code. if you’re not qualified to do this, you’d need to find someone who is.
To be clear, inviting random people to “try to break in” is not going to be productive.
3 Likes
I don’t think the law agrees. You should understand what you’re asking is illegal.
We do write files from user input. We do allow user uploads and store them in a web-accessible place. [URL removed for safety]
Some prepared statements are used, but not consistently.
I mean you could test yourself if sql injection works right? Little bobby tables comes to mind.
2 Likes
I would advise against requesting a random person to attempt to even bother attacking your devbox.
It seems like a bigger risk to the “attacker” to attempt to get in a random server without much context to the network they are attempting to penetrate.
Assuming from the domain alone, it looks like you are inviting someone at attacking a potential school network which may prove to be a bigger risk without the proper paperwork and consent forms.
4 Likes
you can go to https://scanmyserver.com/
add there button to the site and let it scan it will already show a lot of things of the site.
and its free.
A few things I noticed:
- Opera warns the Login is not secure
- HTTPS anyone?
^this
Edit:
3) This is a joke, right?
[URL removed for safety]
these things are, in and of themselves, enough to justify a professional audit.
go to your boss and explain it.
edit
just to be clear, you want a code audit, not a pentest.
2 Likes
@anadon I would potentially remove as much information regarding what you want targeted as much as you can and see if you can do as @_adrian suggests with a professional audit.
I’m frustrated because I’m trying to clean up after biologists making this over 5 years and nothing is done right, and they want the most explicit proof something is wrong. I’m trying to do everything to make it not horrible, but I don’t have the time.
@_adrian They’re not convinced. Should be enough, but isn’t even close.
only the person who controls the email that is enterd will see the report.
ok. is this your job? if not, let it go. if it is, then be firm: “you hired me to do this job. i can’t do my job without {x}.”
OP, I would recommend getting professional audit done for this. Requesting strangers to do this could lead to some unintended consequences.