Jump to content
Sign in to follow this  
boionfire81

secure it!

Recommended Posts

So, for those of you, like me, who are not sure about xss here's the cheat sheet to test your script!

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Click controls to see the filters and security options for them as well.

And when in doubt just block em out!

I check my awstats regularly to find out some important info on my visitors. First, the refer. Don't know the refer? google them. if they come off spammy. block that refer (.htaccess if nothing else). Had a recent injection? View your latest visitors to that specific page (assuming you know where the injection came form. Filter through the ips, and whois them. Then decide if you want to cdir or simply block that single ip. And do not forget to block AWS Amazon web service. They are mutterfutters for real! Amazon sells various crawlers (like a search engine crawlers) that basically let someone crawl anonymously as a test drive.

Amazon full cdir as published by amazon at http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

 

Share this post


Link to post
Share on other sites
First, the refer. Don't know the refer? google them. if they come off spammy. block that refer (.htaccess if nothing else).

Since this is sent by the client - thus editable by the client - it's not reliable. (Unless, of course, you want to block "spammy" looking referrers which may cause a negative impact on your site).

Share this post


Link to post
Share on other sites

It's more a matter of not all hackers think first to change everything to not be tracked. There are several sites like top seo 1 or something. Basically website that claim to help improve seo through incoming links. Half the time they are blackhat seo and highly known for their tatics.

Also, not sure if McCodes recommends this (as I'm sure they don't) but you can actually google for a list of mccode run websites. So the known and prepared vulnerabilities can be done in an instant. Less time of site looks simply like a bounce back. So, I've kept the license code, but I refuse to be on that google list.

Also iFrame breakers are a good idea. - See http://seclab.stanford.edu/websec/fr.../framebust.pdf

 

Edited by boionfire81

Share this post


Link to post
Share on other sites
Just saying, you block all hackers. Not only the smart ones, but the dumb ones too. Well you know.

1.) Simply by avoiding being on google, you are not going to avoid hackers.

By avoiding being on google you will be decreasing your chances of receiving an user base.

2.) A smart hacker will have already thought to edit anything that can point directly to him/her. Simply trying to block them is not enough. You need to protect your application against XSS. Easiest way to do this is to filter user input, and prevent inputted code from executing. Be careful of areas in your code that prints user input as html. You need to make sure that the inputted data has been filtered for any malicious code. On a side note. Never run php's eval() without good reason and never in a situation that can allow a user to somehow get their own input to be ran by it.

3.) Don't just stop at XSS, look into CSRF protection too. Essentially what you are looking for is a way to prevent a user submitting a form from somewhere other than your site or using your form. A token generator is normally enough to suffice. It generates a token for the user for the form they are filling out and then once they submit the server side code checks that a token was sent and that it matches one that was created for a form.

4.) Don't argue with sniko, or he'll find a way to rip you to shreds. He knows what he's talking about and lately seems to like to tear apart people for their misunderstandings.

Share this post


Link to post
Share on other sites

Don't get me wrong, SEO is my specialty. I love google. But I do NOT want to be one the serp (search engine result page) for mccode sites. If they search for mccodes and find my site. eff em. I don't need them. Now if they search for "My great game title" and find me, I'm happy.

It's a matter of knowing what keywords are used ya feel me?

Share this post


Link to post
Share on other sites

How did we go from security to Google research/SOE?

If you don't secure / cleanse user input you're stupid. XSS is rather old and honestly shouldn't work on mccodes 2.0.5b. Unless you're using a mod that isn't secured.

Share this post


Link to post
Share on other sites

Well, not stupid, just new to mccodes and much of php. After the xss, I researched and found out there is basically a directory of all the mccodes sites on the web through google. I simply said I do not want to be on that target list. :)

Share this post


Link to post
Share on other sites

I have yet to see such list but I know you can search for words such as MCCodes or Dabomstew in the Google search bar, but that just brings up games that people never really worked on and mostly pirated games.

Share this post


Link to post
Share on other sites

[...]

Also, not sure if McCodes recommends this (as I'm sure they don't) but you can actually google for a list of mccode run websites. So the known and prepared vulnerabilities can be done in an instant. Less time of site looks simply like a bounce back. So, I've kept the license code, but I refuse to be on that google list.

[...]

Sure you can search specific terms to bring up likely McCodes games, but that only delays a potential malicious user for x amount of time. When your user base grows, word of mouth will reach some malicious users and they'll try something.

By not growing your search engine ranking, you're doing more harm than good - you're delaying growth. For the single "downside" (which you don't even have to worry about if you've secured your application at code and server level), you're being way too paranoid.

 

4.) Don't argue with sniko, or he'll find a way to rip you to shreds. He knows what he's talking about and lately seems to like to tear apart people for their misunderstandings.

haha, oh. :$

giphy.gif

Share this post


Link to post
Share on other sites

Ok, let me try to explain the idea behind keywords. If you search mccodes there is currently in the us an average of 110 searches per month. If you search rpg online there are currently 60500 searches per month.

What are the pros and cons?

Pros of being listed in the serps for BOTH mccodes & rpg online = a total of 60610 serp views (based on proximity).

Cons - being listed for mccodes can draw potential hackers. While simply removing the mccodes word from the site will reduce 110 possible "finds" could also end you up on on the black ball list. i.e. never being seen in Google again. No b.s. there googles blacklist can take years to resolve even if in your favor.

Oh yeah, you CAN be listed for rpg online while NOT being listed for mccodes (if you KNOW what you're doing).

Bro, I have done SEO, not SEM, for years on a years on a global and local scale.

Please, let it be before you are ripped to shreds on a subject you are unaware of.

You may be smarter about php and security (even though you SEEM to insist some hackers trying out your website is ok). BUT SEO, is all me bro.

Share this post


Link to post
Share on other sites
Ok, let me try to explain the idea behind keywords. If you search mccodes there is currently in the us an average of 110 searches per month. If you search rpg online there are currently 60500 searches per month.

What are the pros and cons?

Pros of being listed in the serps for BOTH mccodes & rpg online = a total of 60610 serp views (based on proximity).

Cons - being listed for mccodes can draw potential hackers. While simply removing the mccodes word from the site will reduce 110 possible "finds" could also end you up on on the black ball list. i.e. never being seen in Google again. No b.s. there googles blacklist can take years to resolve even if in your favor.

Oh yeah, you CAN be listed for rpg online while NOT being listed for mccodes (if you KNOW what you're doing).

Bro, I have done SEO, not SEM, for years on a years on a global and local scale.

Please, let it be before you are ripped to shreds on a subject you are unaware of.

You may be smarter about php and security (even though you SEEM to insist some hackers trying out your website is ok). BUT SEO, is all me bro.

Um.. You do realise that Google uses more than just keywords to rank websites?

It scans the content on the pages, it scans all content it can get access to. It'll try match some of that content to the search string.

That's why if you search "powered by codes from dabomstew". A lot of Mccodes games come up, despite not having it in a meta tag for keywords. It also checks if the site is compatible on mobiles. It scans the title of the website too. When I search Mccodes, not a single game appears on the first 2 pages. Powered by codes from dabomstew gives me a lot of games. That line is at the bottom of the page. I wouldn't call it a keyword.

Granted I don't know a lot about SEO, but from experience it won't matter.

Also, you don't want to limit your search results, despite it possibly opening it up to potential hackers.

If your game is secure you have nothing to worry about. It doesn't take much to secure the game. A hacker can even be beneficial. Not all hackers are bad people. Some do it to help improve security. A man found a bug with the PayPal site, took screenshots and reported it.

If a hacker hacks your site then the fault is in lack of security, not in search engine presence.

Share this post


Link to post
Share on other sites
Ok, let me try to explain the idea behind keywords. If you search mccodes there is currently in the us an average of 110 searches per month. If you search rpg online there are currently 60500 searches per month.

What are the pros and cons?

Pros of being listed in the serps for BOTH mccodes & rpg online = a total of 60610 serp views (based on proximity).

Cons - being listed for mccodes can draw potential hackers. While simply removing the mccodes word from the site will reduce 110 possible "finds" could also end you up on on the black ball list. i.e. never being seen in Google again. No b.s. there googles blacklist can take years to resolve even if in your favor.

Oh yeah, you CAN be listed for rpg online while NOT being listed for mccodes (if you KNOW what you're doing).

Bro, I have done SEO, not SEM, for years on a years on a global and local scale.

Please, let it be before you are ripped to shreds on a subject you are unaware of.

You may be smarter about php and security (even though you SEEM to insist some hackers trying out your website is ok). BUT SEO, is all me bro.

Stop flexing, "bro".

I understand the concern to distant your game from "McCode" keywords and target lists, that's fine. I understand search engine blacklists. But what you're trying to convey is that hackers/malicious users will only come to your site if they find it under a "mccodes" keyword.

Share this post


Link to post
Share on other sites

Not trying to relay that they only come through google search for mccodes. Merely that some hackers have a thing for specific scripts especially open source (as the majority probably are free version).

As [uSER=65530]Coly010[/uSER] mentions (in a similar form) that is one of many factors.

Also for [uSER=65530]Coly010[/uSER], believe me I know. The joke among many SEO's is actually that. The moment Google makes a big change, like the old Panda update, there are literally hundreds of agents claiming the downfall of SEO is almost to an end. But the fact is, if you rely to heavily on one factor (such as 90% links >.<) in the end, it wont be the downfall of all SEO, merely that agent.

However, assuming there are "good" hackers, in my view, is like a good criminal vs a career criminal. It seems [uSER=65530]Coly010[/uSER] you're definition of hackers are merely those with the ability to hack. To me those are security agents. They know how to hack and choose to help, because that's what they do. While a hacker to me is someone who makes a living off of hacking into others websites.

And [uSER=65371]sniko[/uSER] if you read thoroughly, you would see I mentioned, xss testing, iframe busting, static monitoring, and blacklisting. As well as a slight mention of I discovered that there is almost a directory/list of mccode sites that is said to be used by hackers through google. I still remain that I do NOT want to be in that list. One factor of many.

Share this post


Link to post
Share on other sites

Bottom line is that whether you are a MCCodes game or a Word Press blog, you are a target. You will never be able to stop an attacker from attacking your site. Let me just go on the record here by saying that I am no security expert, but these "hackers" rely heavily on HTTP requests. The easiest way to stop someone from attacking your site is to [sarcasm]disable HTTP requests[/sarcasm].

In other words you can't

Share this post


Link to post
Share on other sites

No, that's all fine. The more resources the better but I just wanted to post that there is no way to be 100% secure. I just don't want people thinking that if they follow this stuff that they are out of the woods.

Server languages are always changing to try and adapt with the times. Sometimes something great is added or changed but some smarty pants finds their way around it.

Share this post


Link to post
Share on other sites

As others have posted here, your game will never be 100% secure or impervious to hackers/attackers finding your site. It doesn't matter where you are on a search engine, those users will find your site. If they somehow don't, then your site is most certainly not successful (and probably dead at that point).

The balance of security is cost VS benefit. The most valuable thing to most hackers is their time. If you waste their time with them trying various methods to no avail, most will simply give up and leave, as it is too costly for them to continue further to get said benefit. If you have the basic protections in place that others have mentioned here, this will happen in most cases.

Something very important to consider with security though is that no matter how "secure" you make your game, if someone really wants your game to go down in flames, they will find a way to do so.

~G7470

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...