Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
FSG's Master Security Hacked!
Posted by: fragge
Date: March 17, 2008 11:34PM

And here's their insanely well secured login script (written in JS, there is no PHP for these wily con-artists):

<script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value=="Agent") {
if (form.pass.value=="fsg2008") {
location="http://officers.federalsuppliers.com/agents.html"
} else {
alert("Invalid Password")
}
} else { alert("Invalid UserID")
}
}
//-->
</script>

Full story here (funny): http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx

Options: ReplyQuote
Re: FSG's Master Security Hacked!
Posted by: Malkav
Date: March 18, 2008 03:47AM

oh someone has been parsing worsethanfailure :)

let's take advantage of the backlinking

<paranoia>
NEVER, EVER, UNDER ANY CIRCUMSTANCE, RELY ON CLIENT-SIDE AUTHENTICATION.

you do not trust your users, they want is to taint your input, overflow your buffers, XSS your unvalidated forms, inject random things into your databases request, AND EAT YOUR SANDWICH.

users are evil. treat 'em like they deserve.
</paranoia>

trusting user side operation for any security check is like asking bubba the gangsta to check if the jails doors are closed.

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: FSG's Master Security Hacked!
Posted by: thrill
Date: March 18, 2008 12:00PM

Wow.. what a great way to start my day.. hahahhahaha!!!

It reminds me how in the old days usernames and passwords were hard coded into C programs, and of course, all you had to do is view the program with some sort of hex viewer (or 'strings program.exe | less' in unix), and 99% of the time both were in clear text..

Security through obscurity, alive and well in 2008! yay!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote


Sorry, only registered users may post in this forum.