SHPXLBH

Your [noparse][/noparse] tags are insecure. With some click bait, someone can easily do whatever they wanted. Like hijack a session.

A point to note: PDO isn't inherently secure. You still need to take the appropriate actions by binding your parameters.

Can I point out that someone can do whatever they like with this. Like; give themselves unlimited money, unlimited crystals, make themselves admin, put everyone in hospital, and so much more damage (basically do whatever they want with the users table). Now the above has been mentioned, let's refactor! We know each input must apply to one rule; values must be numerical (as item id's are numerical). With this, we can do a simple sanitise.   function do_item_change() { global $db,$userid; //Maybe check they have this item in their inventory... or is this done when they use on each page? $_POST['healitem'] = (int) sprintf("%u", $_POST['healitem']); $_POST['fooditem'] = (int) sprintf("%u", $_POST['fooditem']); $_POST['jailitem'] = (int) sprintf("%u", $_POST['jailitem']); $db->query("UPDATE users SET heal_item=". $_POST['heal item'] .", feed_item=". $_POST['food item'] .", jail_item=". $_POST['jail item'] ." WHERE userid=". $userid); print "Items changed"; //Maybe put this in a nice div? }   An example of input and various techniques to sanitise input: https://eval.in/238625

Put the IPN listener script in the notify_url. Also, having all accounts to one paypal account (even if you use multiple email addresses to access that one wallet), if one user complains or whatever and your account gets suspended, you've stopped revenue 5 times, rather than the one. Spread the risk over 5 different wallets, or be savvy with a TOS, and log transactions to cover yourself should a user try and get a refund and suspend your account.

Never understood why you'd label a menu, unless you're at a restaurant. The game looks promising though, gl!

I can't wait for the movie. It's words being chucked at each other with no evidence. Take it to PM and channel everything through me; I'd like a good laugh.

(: TOPMOBBSS

Hello MakeWebGames. Over the course of my short lifetime, I've defaced, hacked, pissed off, annoyed many game owners and users. Here is my retirement. The exploits The exploits exist in a lot of popular game engines (some not to the extent of others; but most are present). I'm not posting this for you to use. I'm posting this for you to secure your game. Although I've been a real piece of ****, I don't recommend you do the same. If I get a slight sniff of you using the following exploits on other games for your own benefit, you'll see my full force. I've eyes and ears everywhere. Basic exploits Basic exploits are very basic, but they exists on pretty much every game engine (listed on MakeWebGames). It allows you to append multiple CSS properties to a BBCode tag, effectively defacing pages. I've used this on multiple games, and it's been pretty fun. An example of defacement is using the [noparse][/noparse] tag. [color=red;background:black;position:fixed;top:0;left;0;width:100%;height:100%;]You've just been defaced.[/color] Why do a greedy match when we just want to accept a hex colour code, right? (https://regex101.com/r/jU0uM7/1) Let's change the current color tag bbcode match to just match a hexadecimal colour value. (https://regex101.com/r/jU0uM7/4) It's a simple whitelisted character set. Because hexadecimal colour values are a maximum of 6 characters, and HEX only has values 0-F, we can do a character set. \[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\] This would make our PHP preg_replace become; preg_replace("/\[color=(#[0-9A-F]{3,6})\](.*?)\[\/color\]/", "<span style=\"font-color:$1>$2</span>", $input); Game-killing exploits Many games use the greedy regular expression match (.+?) within their bbcode tag. An excerpt from the McCodes bbcode engine; $this->engine->cust_tag("/\[img=(.+?)\]/ie", "check_image('\\1')"); Lovely. The img tag is extremely exploitable. For most tags, it's a simple brain quiz on deciding a whitelist, or possibly blacklist, of characters to match. I'll show you only a few. We can bring up a pop-up box with the image tag exploit, by using onerror, onload, on*. It's simple. [img=1.jpg" onerror="alert('eXpLoIt')] //No need to end the ". The BBCode engine is nice to close this for us. Now, let's secure this. We can change your regular expression match to (for the img tag) \[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\] //https://regex101.com/r/sC5tW5/1 This will give us a callback opportunity to validate the image itself (although, theoretically we don't need to do this, unless we display any EXIF data on the image, or the image comes with a JavaScript payload embedded within it.) $output = preg_replace_callback("/\[img\]([a-zA-Z0-9-_]+\.(jpg|gif|png|jpeg))\[\/img\]/", function($matches) { //Do checks on the image here //Look at exif data //Grab image size and validate that //Validate the extension //etc... if( [everything_is_ok] ) { return "<img src='". $matches[1] ."' />"; //Valid image } else { return "<img src='placeholder.jpg' />"; //Invalid image. Use a placeholder or don't do anything. Up to you. } }, $input); Nice, img tag is now secured. Here's a list of tag fixes I have done. I've just written these and I don't have any bbcode engines with me at the moment, but at least you get the idea ;) Image tag bbcode fix Color tag bbcode fix Font family tag bboce fix Size tag bbcode fix Will update. Just PM me your bbcode engines, and I'll see if they're exploitable. Now that the BBCode exploits are out of the way, let's discuss other exploits. "Blackmail" You may be thinking, zomfg you can't do that, giving people their personal information is bad! No. Their personal information is free to read on the internet. They (the user) made it that way. I, earlier today, found someones whole life on the internet. Their name, social profiles, everything. It was simple, I just reversed image searched their in-game profile picture, and boom. Everything... every piece of information was given to me just from that one image. Try not let that be you. Session hijacking Although this is part of the BBCode exploit, you should really; Bind the session_id(); to the users ip. From all the games I experimented on, only one did this. Kudos [MENTION=70303]Hybridd[/MENTION] (surprisingly). Potentially bind the user agent to the session_id(); Do the two above and patch your bbcode as detailed above I managed to hijack a bunch of accounts on a game and they were none-the-wiser until I told them, and started chatting the chat as them. It was funny. :) SQL Injections This is a good read CSRF I believe the newest McCodes release has a built-in system to help prevent CSRF. However a good test is to set your display picture to http://gameurl.com/logout.php and see if it logs you out. This is a good read: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Notes Total games owned: ~20 Here's some images showing the exploit on some games: http://imgur.com/a/O5cdX I mostly checked if I could do the exploit, and if I could, I removed it and told staff. Some of which I didn't, but the staff pissed me off by spamming previous projects of mine. Some good reads Exploiting StreetMafia: http://makewebgames.io/showthread.php/45259-Security Exploiting ReakCity: http://makewebgames.io/showthread.php/45245-Dear-Hybridd?p=307603&viewfull=1#post307603 Exploting ChaoticWars: http://makewebgames.io/showthread.php/45290-Awesome-RPG-Game-You-All-Should-Try-Out!?p=307883&viewfull=1#post307883 TOPMOBBSS PM me your game link if you wish for a penetration test ( ͡° ͜ʖ ͡°)

Yes. A much easier way. I'll give you a hint;   <?php $a = array(); for($x = 0; $x <= 10; $x++) { $a[$x] = array(); for($y = 0; $y <= 10; $y++) { $a[$x][$y] = ''; } } $my_x = 5; $my_y = 2; $a[$my_x][$my_y] = 'HERE I AM'; print_r($a);   Arrays are your friend. No need to have 100 of unique variables.

User profiles don't validate or sanitise input Still using eregi, which is deprecated PHP errors show on screen Able to deface profiles Able to hijack traffic resulting in session hijacking, via XSS All that, and I am needing to point out that the use of iframe makes UX a 0/10; plus free-hosting? No thanks.

It's a shame the whole game is full of security holes. Don't worry your socks; I'm not going all out. Just a simple test and I've notified staff. What I could have done; Diverted all traffic to a server I own somewhere in the world, and hijack their session. I'll have free reign over their account. Even if they change their password, I'll still be in Send items to other accounts Send money to other accounts Blah blah blah Get into a staff account and execute any server side code I wanted via crime exploit Give me any item in the game Make me max level Give me max stats Blah blah blah [*]Deface my profile [*]Deface forum topics (2 ways I can do this)

PHPMailer and (IIRC) SwiftMailer classes have the functionality to read and write from Mailboxes; shouldn't be too hard to create a simple UI that adopts one of these classes

> If you decide to purchase any in game credits or points, please do so at own risk. If I were to give you money, I'd expect no risk involved. Are you trying to deter money coming your way?! [MENTION=69001]Zettieee[/MENTION] - what are the main exploits?

We will see

The end. So I toyed with him, with them. It was fun. Some saw the humour, some didn't. I'm not God... but i'd like to be. For 3 days the owner (Mr-Killer) was ignoring me, so I had to run a few demonstrations which involved; hi-jacking regular players accounts, hi-jacking staff accounts, wiping the DOM, bringing alert boxes up everywhere. It was fun. My only request was that he was to be polite, and I'd secure the BBCode parser for him. He wasn't. So I toyed with him some more. I handed him the candy to sort it; let's see how he does second time round ;) In the screenshots below, I am TOP MOBBS - I've built quite the name for myself over there by the way :) Previously, he said in the in-game chat that he'd open the IRC channel up to the users. Two tried to join, but he banned them straight away without a reason. I asked him to apologise, he wouldn't, so I wouldn't spoon feed him with the candy i just gave him (Wow, that sounds wrong!) [ATTACH]1742[/ATTACH] [ATTACH=CONFIG]1743[/ATTACH] The BBCode Engine is using a lazy match for each tag. That means you can abuse each and every tag. I generally went after [noparse][/img][/noparse]. But there are about 30 different tags to exploit. P.S - Do not enable the RC BBCode engine unless you've secured it.

The site referenced in the first picture. I've managed to hijack an administrator account after he said I couldn't (even from looking at the previous 'attack', he doubted the security holes). We're on /good/ terms. I only changed his name so he'd believe me. Then I hijacked his account various other times, and a few other accounts too. We're talking terms at the moment as I'd like someone in return of my efforts. I've been told from numerous players that Joker is the admin of other sites (no urls given), a player on street mafia (although they retracted their accusation after analysing the wording used - English isn't his first language), and Joker used to be either ID 1 or ID 42 (accused from ID 42), or ID 167. All accounts are staff - 2 of which are admins. I've also been told (and I've not verified this information), that ID 1 scams donation money until the game dies and throws up a new game sometime after. [ATTACH=CONFIG]1738[/ATTACH] My request to be met so I'll patch the security holes has been denied. I've removed the XSS to take over accounts, however this is still around. (It's harmless, just wipes the DOM and logs them out) Update Request has been met. [ATTACH=CONFIG]1741[/ATTACH] [ATTACH=CONFIG]1739[/ATTACH] [ATTACH=CONFIG]1740[/ATTACH]

Another one bites the dust. I was sent this So, I did this. They'd be then redirected to my forum post and the DOM completely wiped with this replacing the page; They will be automatically logged out, so the non-leejun will think they've been hijacked. Also, once they've fixed their MySQL socket for forums, it'll rate up my security thread as usual. I could have done the following; Hijacked anybodies account Made everyone attack anybody randomly Make everyone send me stuff Other stuff .. pretty much anything To game owners, Don't spam. Don't encourage spam. Ban those that do spam. P.S If you're planning on using RC, don't put it live until you've secured it.

hehehehehehheehehe @OP - Nice game, although the graphics need a little more... sharpness. Will investigate security when I get a free moment :D   I didn't. The game owner decided to delete everything after I gave him an ultimatum.

Almost there. Just needs to be in a new thread accompanied by 3 pictures.

I meant if [MENTION=70303]Hybridd[/MENTION] made the 3 picture shoe selfie thread :)   echo str_rot13('SHPXLBH');

You make that 3 picture shoe selfie thread, I will step up.   echo str_rot13('SHPXLBH');

Then prepare for the next wave.   echo str_rot13('SHPXLBH');

  No. 3 selfies with a shoe on your head else this won't be the end. You're only apologising because there were consequences to your actions that you were not ready for. Now, publicly shame yourself, like you shamed your product.   echo str_rot13('SHPXLBH');

Make a new thread with 3 pictures of shoe on head, apologising to all games you've spammed. Those are my demands.   echo str_rot13('SHPXLBH');

The text-based game community is dying. He's squeezing out the last life for financial gain from others hard work. There are no more chances [MENTION=50378]Guest[/MENTION]. No more chances. A simple XSS attack. Simple. But effective. So, what have I done? Here's the pudding, then I'll get to the juice ;) So, when you go to my profile, you'll be greeted with some nice popups Then, after they're done, you'll be automatically redirected to my forum post Then, (and sending your bank info is completely optional, the following will happen anyway), the entire DOM will be wiped, and replace with; That's right. 10 ****ing hours of entertaining your users. (Probably more entertaining than your lame piece of product you spammed games with) Before you try and monetise something, steal someones hard work, and be a complete douche; remember one thing: make sure your product is far superior than the spam target. I've shown that yours is not. And here's the juice. Every time someone loads anything on the forum that I've posted on, they'll rate my topic up regarding your insecurities. What I could have done: I could have waited until you logged in, hijacked your session with a simple lure, and totally and royally ****ed up your game. The three options [MENTION=50378]Guest[/MENTION] gave you Royally ****ed with your users Made everyone who visited my profile to attack one another randomly Made everyone who visited my profile send me cash Probably a lot more... Hybrid. Change your ways. Make a public apology. And put in some hard work to your product. Never spam games. I'll be watching, in the shadows. Waiting. Waiting for history to repeat itself. Once it does, we'll be there with our weapons ready. No mercy. You've been warned. echo str_rot13('SHPXLBH'); // [MENTION=50378]Guest[/MENTION], I believe you haz big pen0r