Can you break my web site? Go ahead

[donn_edwards]

I'm very proud of this baby. It has taken me since the beginning of the year (ok, only about 20 actual working days) to put this site together.

So now I'm asking you to break it, or at least to try to break it. Editing the data doesn't count as breaking it, but if you find any security flaws I'd really like to know. Until the end of July the site is using the Northwind Traders database, with full editing rights.

http://www.fishwisepro.com/

If you can make it crash, overload it, find bugs or any other embarassing things, I would be most grateful.

I'd also like feeback on the user interface and general usability.
Thanks in advance

 

[Telkomisaloser]

http://www.fishwisepro.com/breakthis

I would redirect this to the main page or have a error message containing the homepage of the site

 

[Telkomisaloser]

Another suggestion.... change the email address to fishwisepro (at) gmail (dot) com


Should cut down the spam a lot

 

[guest2013-1]

ok I broke in. what do I win?

 

[Telkomisaloser]

ok I broke in. what do I win?

The internets

 

[Kloon]

http://www.fishwisepro.com/SalesOrders/Delete.aspx Server error is broken right?

 

[FarligOpptreden]

"The DELETE statement conflicted with the REFERENCE constraint "FK_OrderDetail_SalesOrder". The conflict occurred in database "FishWisePro_91202", table "dbrderDetail", column 'OrderId'.

The statement has been terminated."

 

[Reelix]

Let me see....

OS: Windows Server 2008
Software: WWW Server/1.1
IP: 66.226.20.176
FTP Server: Exists (Unknown Software)
.NET Version: 2.0
Language Coded In: VB.NET

Problems:

1.) http://www.fishwisepro.com/.aspx - No 404 Page

2.)

http://www.fishwisepro.com/Products/
http://www.fishwisepro.com/Categories/
http://www.fishwisepro.com/Customers/
http://www.fishwisepro.com/Employees/
http://www.fishwisepro.com/OrderDetails/
http://www.fishwisepro.com/SalesOrders/
http://www.fishwisepro.com/Shippers/
http://www.fishwisepro.com/Suppliers/
http://www.fishwisepro.com/Images/

Need to hide that...

3.) http://validator.w3.org/check?uri=h...(detect+automatically)&doctype=Inline&group=0

Fails w3 validation.

4.) Found 59 other domains hosted on the same web server?

but if you find any security flaws I'd really like to know.

No chance... If you cannot prove it's your own server, I'm not hacking it :<


- Edit -

Farlig: Where on earth did you find somewhere to execute a SQL Statement? Auto-Spider? (Mini Edit: Nevermind )

- Edit 2 -

http://www.fishwisepro.com/ScriptResource.axd?d=moo

Epic Fail!

- Edit 3 -

And another

http://www.fishwisepro.com/WebResource.axd?d=moo2

- Edit 4 -

http://www.fishwisepro.com/Products/List.aspx?CategoryId=moo3

- Edit 5 -

Value was either too large or too small for an Int32. (Changing the Product ID too high)

 

[JHatman]

Tempted to have a go but not sure what alarm bells I'll trigger off on our work servers!

 

[Reelix]

JHatman: See number 4 of my previous post - It's more the alarms on their servers you should be worried about...

 

[Bizkit87]

Can you break my web site? Go ahead

Apparently.... YES they can!

OP, have a look at this : http://uitest.com/en/analysis/

and
14 tools you can use to improve your website (FREE!!): http://www.conversion-rate-experts.com/articles/understanding-your-visitors/

 

[donn_edwards]

Guys, this feedback is awesome.

I'm not sure what to make of some of these errors, but you have given me plenty to work on.

FWIW, the site is hosted by www.webhost4life.com in the USA

 

[Dude111]

Quite an interesting layout bud!!

Good luck when you finally go FULL THROTTLE

 

[donn_edwards]

http://www.fishwisepro.com/Products/
http://www.fishwisepro.com/Categories/
http://www.fishwisepro.com/Customers/
http://www.fishwisepro.com/Employees/
http://www.fishwisepro.com/OrderDetails/
http://www.fishwisepro.com/SalesOrders/
http://www.fishwisepro.com/Shippers/
http://www.fishwisepro.com/Suppliers/
http://www.fishwisepro.com/Images/

Fixed.

http://www.fishwisepro.com/Products/List.aspx?CategoryId=moo3

- Edit 5 -

Value was either too large or too small for an Int32. (Changing the Product ID too high)

I should have seen that one!

I can see I have more work to do, and much to learn, especially about error messages. You guys are awesome.

 

[Raithlin]

I got into the data section without using admin. A word of advice: Don't use inline queries!!! Especially on login screens!!

[EDIT} It doesn't seem like much, but I was able to get into your data section (readonly access), and could browse around to my heart's content...

 

[donn_edwards]

I got into the data section without using admin. A word of advice: Don't use inline queries!!! Especially on login screens!!

It doesn't seem like much, but I was able to get into your data section (readonly access), and could browse around to my heart's content...

The data section is supposed to be open to everyone, but with read-only access. If you login with the right credentials then you can edit the data.

As far as I can tell there are no inline queries on the login screen. The only parameters being passed around the site relate to filtering the data, and apart from the obvious blunder (above) where nonsense data crashes the page, I don't see any security risk in adding to the data filter.

 

[FarligOpptreden]

I got into the data section without using admin. A word of advice: Don't use inline queries!!! Especially on login screens!!

[EDIT} It doesn't seem like much, but I was able to get into your data section (readonly access), and could browse around to my heart's content...

You got read only access? I was able to perform deletes on the data!

 

[Raithlin]

The data section is supposed to be open to everyone, but with read-only access. If you login with the right credentials then you can edit the data.

As far as I can tell there are no inline queries on the login screen. The only parameters being passed around the site relate to filtering the data, and apart from the obvious blunder (above) where nonsense data crashes the page, I don't see any security risk in adding to the data filter.

That's the point. I logged in using bogus data, as follows:

User:

' and 1=1;

Password:

test

Look, if you want I can make it more vicious, like deleting your user table, to make my point. I figured that wouldn't be necessary though...

EDIT: Ok, so it appears I got all upset over nothing. Well done. I wasn't able to delete stuff . However, the fact remains that if I type in test@test as username and password, I get invalid login. If I type in as above, I get in. Readonly, but in.

 

[rtzouves]

That's the point. I logged in using bogus data, as follows:

User:

' and 1=1;

Password:

test

Look, if you want I can make it more vicious, like deleting your user table, to make my point. I figured that wouldn't be necessary though...

EDIT: Ok, so it appears I got all upset over nothing. Well done. I wasn't able to delete stuff . However, the fact remains that if I type in test@test as username and password, I get invalid login. If I type in as above, I get in. Readonly, but in.

For interest sake you could place absolutely anything in the username and password fields and it will log you in with no editing rights.

i got in using the following:

Username: lookiamauser

Password: uhmidontknow

 

[fxit_man]

For interest sake you could place absolutely anything in the username and password fields and it will log you in with no editing rights.

i got in using the following:

Username: lookiamauser

Password: uhmidontknow

Provided that it's >= 5 characters then yeah it seems.