Outpost Universe Forums

Off Topic => General Interest => Topic started by: op2rules on July 10, 2010, 07:36:20 PM

Title: Sneaky Gurus
Post by: op2rules on July 10, 2010, 07:36:20 PM

Hey guys, I know you all for being sneaky computer gurus as you play op2. My website has a PHP/Jquery/MySQL/stuff URL Redirection system I wrote, and I implemented a LOT of features into it.

My question is, besides loads of inserted URLs, what security holes does/may it have?

Test it out just by heading on over to op2rules.net and go Extras -> URL Redirection System, or click the link on the frontpage.

Thanks!

Title: Sneaky Gurus
Post by: Hooman on July 10, 2010, 08:36:47 PM

Wow, that's unfriendly!
"To view the following page, please upgrade your browser!
This is an Internet Explorer FREE Zone"

Well the only suggestion I have, is to actually make it work in the browser that most of the world uses. I know IE has it's issues (they all do, including FF, just IE tends to have a few more), but I find that kind of a message hard to excuse. That's not just completely ignoring a browser that accounts for over half of internet traffic, but explicitly excluding it. It's generally not hard to make a website at least usable in all browsers, even if it's not pretty in all of them.

Title: Sneaky Gurus
Post by: op2rules on July 10, 2010, 09:34:19 PM

No, the website does NOT work in IE. All the ajax and everything even the template's html doesn't work properly in IE. My apologies though you need to seriously boost your browser man :/

Title: Sneaky Gurus
Post by: op2rules on July 10, 2010, 09:51:41 PM

Edit, actually thanks for reminding me. I decided to check IE6 Compatability and the new jQuery ajax works alright in it, so I removed the blockage.

Title: Sneaky Gurus
Post by: BlackBox on July 10, 2010, 10:15:57 PM

XHRs, which are the foundation behind AJAX, work in IE. Just because you hate IE doesn't mean you should purposely design your website so that IE users are excluded.

If that's how you feel I hope you never get a job doing professional web design, cause you will have to design websites that work on all major browsers.

Edit: website doesn't function properly at all for me, all links end up at http://www.op2rules.net/showtitles.php (http://www.op2rules.net/showtitles.php) which displays nothing but an "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY Category' at line 1."

FYI, javascript is disabled on all sites for me except for ones I specifically whitelist (I use the NoScript extension in firefox). Your main navigation should not require javascript to actually function properly.

Edit2: enabled javascript, site finally worked (shouldn't have to do this just for simple navigation however). Tried some simple sql injection attacks; they didn't work. (Hoping that you are actually doing your own escaping of data and not relying on magic_quotes_gpc).

Title: Sneaky Gurus
Post by: op2rules on July 10, 2010, 11:33:49 PM

Yes and thank you for the attack attempt. Also I have no way of making the menus work without javascript right now, actually I don't even know how to set it up so that it has an alternative, as the CMS is built around that sort of ajax implied concept. Each page pulls stuff in via ajax, so if the ajax isn't there the pages clicked on would appear broken.

And yea, the whole IE blocking thing was about a 50/50 of hating IE users and not being able to deal with IE dis functionality. That was then though, I've matured.

Title: Sneaky Gurus
Post by: BlackBox on July 11, 2010, 12:29:04 AM

Something like:

Code: [Select]

<script type="javascript">
document.write("<a href='javascript:fancy-xhr-request-routine()'>blah</a>");
</script>
<noscript>
<a href="static-page-that-doesn't-use-ajax">blah</a>
</noscript>

perhaps? or even just onclick events in the links to handle the javascript, return false; should prevent the browser from following the href= attribute. If JS support doesn't exist/is disabled the onclick events won't be processed, leaving the href= to be handled normally.

Title: Sneaky Gurus
Post by: AmIMeYet on July 11, 2010, 05:44:42 AM

Hm.. is it me or do ID's with spaces in them not work? I tried: "OPU Thre" (as the last "ad" was cut off).. but that 404'd

Following BlackBox's post, since you use jQuery, it's better to use event.preventDefault() in the event handler.
Like this:

Code: [Select]

$(document).ready(function(){
   $("#static_page").click(function(event){
     alert("This link no longer goes where it's supposed to go! Isn't that brilliant?");
     event.preventDefault();
   });
 });

<a id="static_page" href="static-page-that-doesn't-use-ajax">blah</a>

A bit off topic, but BlackBox, what's so bad about magic_quotes?

Title: Sneaky Gurus
Post by: Freeza-CII on July 11, 2010, 08:16:16 AM

if i attack your server ill win for sure. heheh and IE is great and the majority use it dont be a hater :P

Title: Sneaky Gurus
Post by: Hidiot on July 11, 2010, 08:24:25 AM

IE may be sort of ok (is usable, if you don't mind certain security risks), but the way it is (or at least used to be) marketed is not.

Title: Sneaky Gurus
Post by: op2rules on July 11, 2010, 09:16:43 AM

Quote

Something like:

Code: [Select]

<script type="javascript">
document.write("<a href='javascript:fancy-xhr-request-routine()'>blah</a>");
</script>
<noscript>
<a href="static-page-that-doesn't-use-ajax">blah</a>
</noscript>

perhaps? or even just onclick events in the links to handle the javascript, return false; should prevent the browser from following the href= attribute. If JS support doesn't exist/is disabled the onclick events won't be processed, leaving the href= to be handled normally.

But see that's my problem, ALL the data is just ajax'd from MySQL tables, there are no static files to link it, and what would be a point in making them if the whole point of the ajax was to avoid needing to do that :/

Actually, I see what you mean, make an alternative .php file that would pull the entire page with the new content in it like that, infact thats perfect and exactly what I want because then linking with the URL would work. Thanks!

Title: Sneaky Gurus
Post by: BlackBox on July 11, 2010, 12:11:06 PM

Quote

Hm.. is it me or do ID's with spaces in them not work? I tried: "OPU Thre" (as the last "ad" was cut off).. but that 404'd

Following BlackBox's post, since you use jQuery, it's better to use event.preventDefault() in the event handler.
Like this:

Code: [Select]

$(document).ready(function(){
   $("#static_page").click(function(event){
     alert("This link no longer goes where it's supposed to go! Isn't that brilliant?");
     event.preventDefault();
   });
 });

<a id="static_page" href="static-page-that-doesn't-use-ajax">blah</a>

A bit off topic, but BlackBox, what's so bad about magic_quotes?

Yeah, that's a good point. I don't use jquery much so I forgot about that.

And yes, IDs and classes are supposed to be one word (spaces would goof up the syntax of the CSS file cause it allows selectors specifying the style for specific elements of a certain class / ID, or within a div of said class/ID).

As far as the creating static pages go, you could just have the regular links link to the "outer" page and pass some kind of param which will include() the ajax'ed page within the body of the outer page. (But it looks like you have it figured out).

With regard to magic quotes, (and even the developers of PHP say this, hence magic quotes is a deprecated feature currently), it's a bad idea to rely on "built-in" security measures that you may not be aware of happening. (It's important for the developer to be aware of the attacks that can happen, and perform input validation properly themselves).

In addition it causes applications to require code that check for magic_quotes_gpc or magic_quotes_runtime and stripslashes() if needed.

Quote

IE may be sort of ok (is usable, if you don't mind certain security risks), but the way it is (or at least used to be) marketed is not.

I wouldn't say it is full of security holes in the latest versions of IE. It by default takes a pretty decent approach to allowing activeX controls to run and forces you to "allow" them before they run (of course the user can be dumb and just 'allow' everything but this can be a problem in any browser, not just IE.. on firefox you could try to get the user to install an xpi (extension) and it could be just as bad).

The main reason I use firefox instead of IE is because of all the browser extensions that I use (adblockplus which blocks and collapses the div for most major ad companies' ads; noscript which as mentioned maintains a whitelist of javascript/flash/etc. enabled sites; greasemonkey and firebug; among certain other plugins for web apps I have to use that do not work at all in IE).

Finally, with regard to things like users that are on old or "incompatible" browsers, I wholeheartedly agree that they should upgrade to the latest version of the browser if possible but this isn't possible in all cases, or the user just won't do it. (I know for example there are a lot of company IT policies where they are still using windows XP and IE 6, oftentimes since they have some ancient webapp that only works properly on this browser. As such the user cannot use another browser).

You need to also consider where the user will disable javascript on sites where it's not really needed (me), or clients where javascript support may not exist (for example mobile devices like cell phones, PDAs, etc). I can understand the use of javascript for "special" features, for example a realtime chat feature using AJAX techniques to send and receive chat messages, but for simple navigation of pages in your case it should not require ajax, at that point it is just being used as an annoying gimmick).

A good example of a major website that takes the use of Ajax too far is Facebook. Every single page request is an XHR (also ever since they started doing things this way I've found the site to be extremely buggy. I'm sure it's an attempt at reducing load on their servers as they can load parts instead of the whole page, but it doesn't work very well IMO)

Title: Sneaky Gurus
Post by: Hooman on July 11, 2010, 01:08:54 PM

Quote

IE may be sort of ok (is usable, if you don't mind certain security risks), but the way it is (or at least used to be) marketed is not.

It's given away for free, just like FF. What's the problem? ;)


I also strongly believe that a web page should not rely on JavaScript for basic functionality. JavaScript is needed for basic client side *behavior* (outside of clicking links). For fancy features that require some sort of functionality, like a Google maps interface, sure use it. But it's a terrible idea for site navigation to rely on it, or for the layout to rely on JavaScript to the point where the page is unreadable if it's disabled. JavaScript should only be used to enhance a web site, not as a replacement for core functionality already in HTML or CSS. If you want to use Ajax to replace links and only do partial page loads, then fine, it's an enhancement, but don't break navigation for people who have JavaScript disabled.


Also, keep in mind that newer versions of IE are more compatible with other browsers. Even if you had problems with an older version, there is no reason to block every version of IE, including future ones that may handle the web site correctly.