Can you break my web site? Go ahead

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
I'm very proud of this baby. It has taken me since the beginning of the year (ok, only about 20 actual working days) to put this site together.

So now I'm asking you to break it, or at least to try to break it. Editing the data doesn't count as breaking it, but if you find any security flaws I'd really like to know. Until the end of July the site is using the Northwind Traders database, with full editing rights.

http://www.fishwisepro.com/

If you can make it crash, overload it, find bugs or any other embarassing things, I would be most grateful.

I'd also like feeback on the user interface and general usability.
Thanks in advance
 
Joined
Apr 8, 2005
Messages
11,422
Another suggestion.... change the email address to fishwisepro (at) gmail (dot) com


Should cut down the spam a lot
 

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
"The DELETE statement conflicted with the REFERENCE constraint "FK_OrderDetail_SalesOrder". The conflict occurred in database "FishWisePro_91202", table "dbo_OrderDetail", column 'OrderId'.

The statement has been terminated."
 

Reelix

Senior Member
Joined
Jun 24, 2008
Messages
594
Let me see....

OS: Windows Server 2008
Software: WWW Server/1.1
IP: 66.226.20.176
FTP Server: Exists (Unknown Software)
.NET Version: 2.0
Language Coded In: VB.NET

Problems:

1.) http://www.fishwisepro.com/.aspx - No 404 Page

2.)

http://www.fishwisepro.com/Products/
http://www.fishwisepro.com/Categories/
http://www.fishwisepro.com/Customers/
http://www.fishwisepro.com/Employees/
http://www.fishwisepro.com/OrderDetails/
http://www.fishwisepro.com/SalesOrders/
http://www.fishwisepro.com/Shippers/
http://www.fishwisepro.com/Suppliers/
http://www.fishwisepro.com/Images/

Need to hide that...

3.) http://validator.w3.org/check?uri=h...(detect+automatically)&doctype=Inline&group=0

Fails w3 validation.

4.) Found 59 other domains hosted on the same web server?

but if you find any security flaws I'd really like to know.

No chance... If you cannot prove it's your own server, I'm not hacking it :<


- Edit -

Farlig: Where on earth did you find somewhere to execute a SQL Statement? o_O Auto-Spider? (Mini Edit: Nevermind :p)

- Edit 2 -

http://www.fishwisepro.com/ScriptResource.axd?d=moo

Epic Fail! :D

- Edit 3 -

And another

http://www.fishwisepro.com/WebResource.axd?d=moo2

- Edit 4 -

http://www.fishwisepro.com/Products/List.aspx?CategoryId=moo3

- Edit 5 -

Value was either too large or too small for an Int32. (Changing the Product ID too high)
 
Last edited:

JHatman

Banned
Joined
Oct 28, 2008
Messages
2,008
Tempted to have a go but not sure what alarm bells I'll trigger off on our work servers! :eek:
 

Reelix

Senior Member
Joined
Jun 24, 2008
Messages
594
JHatman: See number 4 of my previous post - It's more the alarms on their servers you should be worried about...
 

Dude111

Well-Known Member
Joined
Jul 19, 2009
Messages
206
Quite an interesting layout bud!!

Good luck when you finally go FULL THROTTLE :)
 

Raithlin

Executive Member
Joined
Jan 4, 2005
Messages
5,032
I got into the data section without using admin. A word of advice: Don't use inline queries!!! Especially on login screens!!

[EDIT} It doesn't seem like much, but I was able to get into your data section (readonly access), and could browse around to my heart's content...
 
Last edited:

donn_edwards

Well-Known Member
Joined
Aug 17, 2005
Messages
174
I got into the data section without using admin. A word of advice: Don't use inline queries!!! Especially on login screens!!

It doesn't seem like much, but I was able to get into your data section (readonly access), and could browse around to my heart's content...

The data section is supposed to be open to everyone, but with read-only access. If you login with the right credentials then you can edit the data.

As far as I can tell there are no inline queries on the login screen. The only parameters being passed around the site relate to filtering the data, and apart from the obvious blunder (above) where nonsense data crashes the page, I don't see any security risk in adding to the data filter.
 

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
I got into the data section without using admin. A word of advice: Don't use inline queries!!! Especially on login screens!!

[EDIT} It doesn't seem like much, but I was able to get into your data section (readonly access), and could browse around to my heart's content...

You got read only access? :confused: I was able to perform deletes on the data!
 

Raithlin

Executive Member
Joined
Jan 4, 2005
Messages
5,032
The data section is supposed to be open to everyone, but with read-only access. If you login with the right credentials then you can edit the data.

As far as I can tell there are no inline queries on the login screen. The only parameters being passed around the site relate to filtering the data, and apart from the obvious blunder (above) where nonsense data crashes the page, I don't see any security risk in adding to the data filter.
That's the point. I logged in using bogus data, as follows:

User:
Code:
' and 1=1;
Password:
Code:
test

Look, if you want I can make it more vicious, like deleting your user table, to make my point. I figured that wouldn't be necessary though... ;)

EDIT: Ok, so it appears I got all upset over nothing. Well done. I wasn't able to delete stuff :p. However, the fact remains that if I type in test@test as username and password, I get invalid login. If I type in as above, I get in. Readonly, but in.
 
Last edited:

rtzouves

Senior Member
Joined
Jun 3, 2008
Messages
511
That's the point. I logged in using bogus data, as follows:

User:
Code:
' and 1=1;
Password:
Code:
test

Look, if you want I can make it more vicious, like deleting your user table, to make my point. I figured that wouldn't be necessary though... ;)

EDIT: Ok, so it appears I got all upset over nothing. Well done. I wasn't able to delete stuff :p. However, the fact remains that if I type in test@test as username and password, I get invalid login. If I type in as above, I get in. Readonly, but in.

For interest sake you could place absolutely anything in the username and password fields and it will log you in with no editing rights.

i got in using the following:

Username: lookiamauser

Password: uhmidontknow

:p
 

fxit_man

Executive Member
Joined
Sep 16, 2006
Messages
6,413
For interest sake you could place absolutely anything in the username and password fields and it will log you in with no editing rights.

i got in using the following:

Username: lookiamauser

Password: uhmidontknow

:p

Provided that it's >= 5 characters then yeah it seems.
 
Top