I asks this questions not to hack one but to make our sites more secures in case of an attack.

How could this happen?
Is it possible to hack a TBH webiste?

What security risks does the tbh website has?

kherrerab - this is one of my questions too. i've imagined (tho' haven't tried) that it'd be possible to 'flood' post via some automated tool. tho' this wouldn't be hacking as such, it could create a DOS (denial of service) if the action was prolinged enough. to counter this, it would be advisable to cache the sessionid in a hashtable (sessionid, lastactiontime) and whenever a post was made, lookup that sessionid and only allow the post if an elapsed time (say 10-15 seconds or whatever was appropriate) had passed, otherwise, give a message page to this effect. this would also prevent double posts at the same time.

as for other 'exploits', i look fwd to reading opinions/experiences on this, with suggestions thast would 'internally' shore up any such attacks. as present, i haven't discovered any other weak points.

jimi

http://www.originaltalent.com

Code-wise, I'd say TBH is pretty secure. SQL injection is not an issue. I'm not sure about XSS, as my knowledge of that sin't really great, but I'll see if the secure code dude at work can give me some info tomorrow.

I've added a Captcha, and insist that people sign up with a valid E-mail address (by sending them a confirmation link). That way, if some people decide to try and floodpost, I can easily get rid of them, and I'll probably implement something to ban IPs as well (I know some of the potential users are buttmunches with no lives).

A DOS attack can easily be identified as such by your hosting provider. DDOS might be more of a problem, but if they have some decent networking guys, they'll just tweak some settings on the routers.

The weakest link is always your (power users). Just make sure you insist they have strong passwords. Most of the hacks nowadays rely either on vurnerabilities in the platform (IIS in our case), and not specifically on the programming code. Though most hacks occur due to foolish users ;)

Peter

http://entropia-online.blogspot.com/

if you make the ip ban thing maybe you can share it with us.

there is a way for everything so it must be a security hole in the program. Let´s find it before someone else does.

take a look at this one (if you haven't seen it already)

http://www.angrypets.com/tools/rdos/

quite a neat non-invasive tool for combating spammers

jimi

http://www.originaltalent.com

Well. I have the captcha in place... (Give it a go at my site if you want... If you'd be friendly enough to include the word WROX as a start of your secret question, so I'll be able to recognise you just tested, and aren't a user intending to stick around, that'd be great). The only reason I'm not sharing the code is that Jim hinted Marco will be including Captchas in the next version, and if I'd just post the code here, that'd kind of shoot Marco in the foot.

Other ways to keep things user-friendly would be generating a question that's easy for people to answer. I.e. "How much is a dozen?". "What's the last name of the giant ape called King?", or in the case of (for instance) the opera site, questions about Opera (Who composed Aida?), etc.

By the way, even IP bans won't suffice, I'm afraid. There's always anonimizers, proxies, etc. And if someone is determined enough, they will be able to cause trouble. Unfortunately every single restriction against these dingleberries you implement might potentially hurt real customers. (captchas might be hard for visually impaired people, ip-bans might affect innocent people surfing from the same network, etc).

Peter



http://entropia-online.blogspot.com/