Jump to content

what do you think of my login page?


Recommended Posts

Thanks to Octarine, I learned something new: CSRF or XSRF, for more information: http://en.wikipedia.org/wiki/Cross-site_request_forgery

For making a long story short: if your users are logged it, via session / cookie or whatever and some external site point an image to your game like

<img src="http://yourgame.com/index.php?cmd=change_pass&new_pass=123456" width="1" height="1">

The browser of your players will actually try to load that image (even if it is not an image), pass the session / cookie over and... actually trigger some actions.

Doing it with a post instead of a get? It involves a bit more work, and may not work with a simple image as you need some javascript (as far as I'm aware of), however it is also doable.

Now how do you protect yourself from such things? Well, a good option is to check the Referer header and see if it match with your site. If not, the request comes from the outside, and should be dropped. Yet even better, limit the life time of the session / cookie, such that the player is vulnerable only for X min (unless he/she browse malicious sites in the same time), or, require some sort of password when you do such things.

Honestly load of sites (if not most) are partially or completely vulnerable for such attack, yet it doesn't mean it's easy to setup and actually run, as the attacker shall know your site, and shall find a way to contact the users of your site for example. Also the impact of such attack on a game is... not very high

Is it an high security risk for a game? answer I don't think so.

Could something be done to yet lower the risks? Sure, however preventing completely those kind of attacks is hard. However you can certainly try to block some of the easiest things.

The other points, octarine said are for me more important for me, like blocking an account after X fails in X minutes.

Link to comment
Share on other sites

Indeed preventing completely those kind of attacks seems to be relatively hard. On my own code I did quiet some work, yet I only hope to have covered all those possible issues. Some times you never have enough imagination to cover all holes or at least me.

And I wasn't aware those kind of attacks have been successfully done on McCode game.

Link to comment
Share on other sites

Zend Certificate doesn't cover any security aspect. It covers purely the language. As I always said, I'm a programmer not a security expert nor an hacker. Yet I'm also not a McCode owner, developer, so all this McCode world and possible hacks are unkown to me ;)

You know, computer science is really big, you can't know all. For example somebody working with Oracle will not know SQL Server details and same in the other side. An expert in Java will normally not be an export in C# or yet, if you are a Java GUI developer maybe the Servlet and JSP are only basic knowledge. Does that make A Java guru a bad programmer? No, but simply not a good security expert. Usually security and development are 2 separated things, where you need true skilled people for security which do basically nothing else than that, and the programmers at the other side. Sure a soft need to be secured, specially if it goes on internet, but many soft never reach any public hands and may have completely different design goals.

Even formal training show huge difference in what you get: Nickson which is doing system administration and security is getting all kind of trainings to learn the possible (known) attacks, where when I made my master I didn't got even a single course about security. As said, there is simply too much to know, and you can't learn all. Then it's up to you to focus on the thing you are interested, but don't think that only one branch of the computer science is the most important, that would be a huge mistake ;)

Link to comment
Share on other sites

The latest ZCE, but not the one I did, that I can tell you ;) (I made mine in 2006, so 6 years ago and it was PHP 4)

The current ZCE do have indeed quiet more focus on security (thanks Spudinski to pointing me to the right info, I must admit I didn't checked it since I made mine), and OO which was nearly existent at the time I did it.

And I think ZCE does tell if you are a security expert? The answer is again no, you may (now) have some overview, but you are certainly not an expert. To be an expert in the field, you should normally do formal training on that specific field, or at least have some long working expertise in the field.

Also a script on the same site to trigger some hack is for me something different than the CSRF as for me it's more a CSS / XSS attack and that one was known to me ;)

Finally, I shall add, that even if you are an expert, you may as well miss things, I mean, how do you think that even sites like youtube, google, yahoo get hacked otherwise? Don't you think they have full time security experts working there? Yet there is always some security aspect which has been forgotten or some new viscous way to pass the security. One of the well known and not really fixable issue is the so known "social engineering":


Link to comment
Share on other sites

You can't fix social engineering, as it's your trusted users which are doing the stupidities... you can inform them, yes, but not much more.

SE has nothing to do with the person's intellect, it is a way to manipulate. Like "hacking" a human mind.

One could train them on the techniques the SEs would use to manipulate them, and from that they could make assumptions whether to trust the other or not.

Link to comment
Share on other sites

As said, the only thing you can do is inform your users. For internal (inside the company) it's somewhat doable, yet for external people it's nearly impossible beside sending from time to time emails informing them to not trust anyone XD

Well, it's the general rule of thumb: not to trust anyone.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...