Jump to content
MakeWebGames

Secure Dropdowns


sniko

Recommended Posts

It has come to my attention, whilst procrastinating, that some games, the ones I tested anyway, are still vulnerable to form editing, and being able to make, what I call 'blanks'.

For example, I've made, on some sites (I apologize in advance, but I had to test, and put the word out, and help you become aware) I can do this, and so can many, by using their brain.

Anyway, I'm unsure If I can post the process of how I do it on here, so I won't.

I think this vulnerability came to eyesight a while back, but was never really addressed? Correct me If I am wrong.

 

  1. Stop people from having blank names
  2. Stop people from having no gender

 

Open up preferences.php and find the following function.

(On a game I tested, it had a hidden form input with the gender placed as the value, I simply replaced this value with something, which is not in the ENUM, thus having no gender)

If your gender change function isn't something like the following, replace it.

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Now to address the name 'blank'

If you put   or a UNIX command as your new name, it'll return a blank.

So, find the do_name_change() function, and ensure the following;

On the new name input variable;

  1. You've used htmlentities.
  2. You've ensured that the input is more than x chars and less than x chars.
  3. You've used trim.
  4. You've (optional) filtered down so html special codes aren't available to use.

 

Secure your dropdowns!

  1. You've stored the available options in an array.
  2. You've generated the options in some sort of loop.
  3. You've checked the input is in the array.

 

That's about it. All that I've gathered from procrastinating.

Link to comment
Share on other sites

Here's two more examples of what you probably shouldn't do.

Note: Both are harmless, providing you're validating your input (not done in the examples).

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

There's so many more, some need a little more in-depth explanation, even one stupid me only just recently came to notice (thanks ex-member. ;D)

As for the proccess, if you wish to test your own code, download Firebug for FF or Google Chromes, developer tools, and start messing around with your forms values.

Pro-tip: Also mess around with changing the type of data your inputing. :)

Edited by Djkanna
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...