First major Site..

It doesn't matter if you do all the error checking in the world, or if you have the most beautiful graphics, if your site or application design isn't usable, it's not going to do well. Get input and advice on usability and user interface issues here.

Moderator: General Moderators

User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

First major Site..

Post by Zoxive »

[Posted under old name]
Last edited by Zoxive on Wed Sep 09, 2009 11:08 pm, edited 2 times in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

jshpro2 wrote:You are susceptible to XSS:
http://www.batechcentral.com/NTS_am/2/p ... /script%3E
Whats this?

Never herd of it.. to bad i can't fix... due date was the 1st..

-NSF
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

cross site scripting.

It means I can log in as the admin if I get you to load a specially constructed URL, if you were logged in as the admin it could cause javascript to send me your login cookie.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

jshpro2 wrote:cross site scripting.

It means I can log in as the admin if I get you to load a specially constructed URL, if you were logged in as the admin it could cause javascript to send me your login cookie.
Login session? i dont have cookies..

And i Wikied it, but didn't get much from it other then cross site scrippting, and it was mainly used to crack sites..

-NSF
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

As in I could capture your session cookie, and potentionally gain access/permission to the admin section as long as an admin logged in while I had this attack setup.. could also steal anyones account that logged in as well.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Jcart wrote:As in I could capture your session cookie, and potentionally gain access/permission to the admin section as long as an admin logged in while I had this attack setup.. could also steal anyones account that logged in as well.
Ok, well beyond that.. its my first site...... ; (

And i just started php when i first joined.

So anything about the site? i was very happy with it.. till now.. : /

-NSF
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

NonStopableForce wrote:So anything about the site? i was very happy with it.. till now.. : /-NSF
- Invalid CSS
- Help/Sitemap/Adv search hard to read, could be in the main nav bar, not spaced well/consistently
- At least four different fonts on the page (including images), could be fewer
- Have to click About Us to learn anything about NTS. Will destroy your google ratings. At least have some intro text on the main page
- Very nice use of a consistent color scheme (blue/brown/green), although I prefer less colors.
- Cross-site scripting vulnerable

Overall, not bad, but not great.
benamaster
Forum Newbie
Posts: 4
Joined: Fri Feb 03, 2006 7:52 am

Post by benamaster »

I have to say I like the features on the http://www.batechcentral.com/ntspm quite a bit better compared to the http://www.batechcentral.com/nts_am/2/

The http://www.batechcentral.com/ntspm site has much better features as you can select a date via a calendar and they list sites in the city and the tours that go to those sites.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Roja wrote: - Invalid CSS
If you notice i didnt realize you couldn't use // to comment out, thats why it doesn't validate... and its after the 1st so i can't fix.

benamaster wrote:I have to say I like the features on the http://www.batechcentral.com/ntspm quite a bit better compared to the http://www.batechcentral.com/nts_am/2/

The http://www.batechcentral.com/ntspm site has much better features as you can select a date via a calendar and they list sites in the city and the tours that go to those sites.
Ok, you think that because you made it?

But what does everyone else think?

-NSF
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Are we the judges on this competition and we don't even know it?


The "enemy"'s site:

- when I page to a new month on the calender it scrolls me to the top of the page, perhaps use of anchors to scroll the page back to where I was would be appropriate, or a simple ajax / iframe solution to avoid that issue all together
- The elements on the bottom of the tour pages are not arranged in a logical way, I have tabs to read reviews, see a calender, an area to rate the tour, etc.. all cluttered into one area.
- links in upper right are in a non-standard place, and do not stand out.
+ fluid layout, I can resize / change font size
- sql injection on http://www.batechcentral.com/ntspm/Prod ... ProductID= ????


As for your site, it has sql injection here:

http://www.batechcentral.com/NTS_am/2/tours.php?tour=


(this gives me the ability to run any query I want, with very few limitations on what I can run)

Regarding the sql injection, just to prevent confusion you are adding slashes or escaping the string but this does you no good because you're running the input like so:

Code: Select all

select `whatever` from `table` where `id`= $id
Since $id has no single quotes around it in your query I can insert things

Proof of concept -
http://www.batechcentral.com/NTS_am/2/t ... r%205=5%20;
I'm just selecting but I'm doing it through the SQL injection vulnerability
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

jshpro2 wrote: As for your site, it has sql injection here:

http://www.batechcentral.com/NTS_am/2/tours.php?tour=


(this gives me the ability to run any query I want, with very few limitations on what I can run)

Regarding the sql injection, just to prevent confusion you are adding slashes or escaping the string but this does you no good because you're running the input like so:

Code: Select all

select `whatever` from `table` where `id`= $id
Since $id has no single quotes around it in your query I can insert things

Proof of concept -
http://www.batechcentral.com/NTS_am/2/t ... r%205=5%20;
I'm just selecting but I'm doing it through the SQL injection vulnerability
mm i just tryed messing with that, and everytime it would bring up tour id 28, with 5=5 or anything=anything

There isn't much they could do with that, but yes i know its bad, and i'll make account of all these mess ups for furture websites..

-NSF
benamaster
Forum Newbie
Posts: 4
Joined: Fri Feb 03, 2006 7:52 am

Post by benamaster »

We should all make a vote!

Thought with this being a PHP site and my site being in ASP.NET 2.0 I am pretty sure who would win out. I have done PHP before and I do like it but its alot easier I think to manage a project in Visual Studio 2005.

For my personal site I use PHP, does anyone have suggestions of a Visual Studio like program that would be better than Dreamweaver 8?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

My vote: you're all off the island for failing to face your fears with big brother and your fellow geeks watching on.

No ASP vs PHP war.

Check out vs.PHP (I think that's the name) .. or PHP Designer.. Happily, most decent code editors are better than Dreamweaver. If you have any further, off topic things to ask, like editor questions, look around the forums. There is a VERY large editors thread.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

NonStopableForce wrote:There isn't much they could do with that
Wrong, here's another example:

http://www.batechcentral.com/NTS_am/2/t ... d%20=%2033


I imagine the query I just made looks like


select `field`, `field` from `some_table` where `id` = 0 or id = 33 order by `field`


Now what if I knew the schema of your tables and ran the following query

select `field`, `field` from `some_table` where `id` = 0 or id =33 union all select 'dummy_data', `password` from `users` where `username`='admin' ; -- order by `field`

Obviously that's not a valid query on your system but if I was motivated enough I could select data from any of your tables with this exploit, who knows what other exploits I could find if I had the time / will to seek them all out. (ie., maybe you have an sql injection vulnerability somewhere else where I could delete from tables)
Post Reply