That's a way to trick security scanners, which usually try to interpret SQL errors to their advantage.
It's there for laughs, not very professional tho
PortCTL Systems | Billing Software
- Thread starter PortCTL
- Start date
It's there for laughs, not very professional tho
Interesting. In my opinion, this would be better off on an unused page then if it is to honeypot scanners. If it is for scanners, there isn't a need to include it on an actually used page, just setup a fake directory with an index.php or something and log attempts to that page.That's a way to trick security scanners, which usually try to interpret SQL errors to their advantage.
It's there for laughs, not very professional tho
Last edited by a moderator:
PortCTL
New Member
I'm going to assume you're not familiar with how scanners work. Take for example SQLMAP, it'll scan for vulnerabilities, and if it gets an error message it'll log it as vulnerable, now SQLMAP is a bit smarter than regular scanners, it'll check for false-positive, but even still all the access logs are recorded, IP, etc. and from there it's easy to build a database and block IP addresses known to scan for vulnerabilities.
Scanners don't know what page is used in an application and what isn't. Which is why I suggested creating a fake directory if you insist on running a honeypot.
Protecting with a honeypot is interesting but realistically you should make sure your application doesn't have a vulnerability to take advantage of, especially if it is going to handle credit card information and sensitive data. Scanners aren't able to do anything unless your application is vulnerable.
At this stage, I would say let the scanners run. It'd be best for you to find out about a vulnerability now than after you release it.
Last edited by a moderator:
fixidixi
Active Member
"you should make sure your application doesn't have a vulnerability to take advantage of"
well it most surely is going to have vulnerabilities the only question is if they can patch&release&upgrade the sw in time. and of course regular sec audits are welcome with sw handling money
well it most surely is going to have vulnerabilities the only question is if they can patch&release&upgrade the sw in time. and of course regular sec audits are welcome with sw handling money
PortCTL
New Member
That's true, like yesterday vld reported a XSS, and after a few changes it was fixed, and an update was pushed. The XSS with POC will be posted under full disclosures shortly."you should make sure your application doesn't have a vulnerability to take advantage of"
well it most surely is going to have vulnerabilities the only question is if they can patch&release&upgrade the sw in time. and of course regular sec audits are welcome with sw handling money
Sigh... There is no organization to this project what so ever.
The XSS should of never happened in the first place because you ALWAYS SANITIZE YOUR INPUTS. The md5 hashing for passwords was a disgrace. There is no MVC structure to anything. Why is there header and footer HTML code on every single page...
I'm really starting to worry... If you initially stored your passwords using md5, I'm wondering what you're gonna use for credit card information.
The XSS should of never happened in the first place because you ALWAYS SANITIZE YOUR INPUTS. The md5 hashing for passwords was a disgrace. There is no MVC structure to anything. Why is there header and footer HTML code on every single page...
I'm really starting to worry... If you initially stored your passwords using md5, I'm wondering what you're gonna use for credit card information.
PortCTL
New Member
If you view the newer edition, it's better than it was before.
Development editions, as stated, "not suggested in production usage"