amuck-landowner

PortCTL Systems | Billing Software

vld

New Member
Verified Provider
Looks interesting.  I'm curious why you would need to display an error to "log hacking attempts".  This is obviously just an error showing one of your queries is using an invalid syntax, most likely with LIMIT in the wrong place.   As a developer myself, there should be no reason for you to purposefully display a MySQL error to an end user.  Any sort of logging should be done behind the scenes.
That's a way to trick security scanners, which usually try to interpret SQL errors to their advantage.

It's there for laughs, not very professional tho :p
 

devonblzx

New Member
Verified Provider
That's a way to trick security scanners, which usually try to interpret SQL errors to their advantage.

It's there for laughs, not very professional tho :p
Interesting.  In my opinion, this would be better off on an unused page then if it is to honeypot scanners.  If it is for scanners, there isn't a need to include it on an actually used page, just setup a fake directory with an index.php or something and log attempts to that page.
 
Last edited by a moderator:

PortCTL

New Member
Interesting.  In my opinion, this would be better off on an unused page then if it is to honeypot scanners.  If it is for scanners, there isn't a need to include it on an actually used page, just setup a fake directory with an index.php or something and log attempts to that page.
I'm going to assume you're not familiar with how scanners work. Take for example SQLMAP, it'll scan for vulnerabilities, and if it gets an error message it'll log it as vulnerable, now SQLMAP is a bit smarter than regular scanners, it'll check for false-positive, but even still all the access logs are recorded, IP, etc. and from there it's easy to build a database and block IP addresses known to scan for vulnerabilities.
 

devonblzx

New Member
Verified Provider
I'm going to assume you're not familiar with how scanners work. Take for example SQLMAP, it'll scan for vulnerabilities, and if it gets an error message it'll log it as vulnerable, now SQLMAP is a bit smarter than regular scanners, it'll check for false-positive, but even still all the access logs are recorded, IP, etc. and from there it's easy to build a database and block IP addresses known to scan for vulnerabilities.
Scanners don't know what page is used in an application and what isn't.  Which is why I suggested creating a fake directory if you insist on running a honeypot.

Protecting with a honeypot is interesting but realistically you should make sure your application doesn't have a vulnerability to take advantage of, especially if it is going to handle credit card information and sensitive data.  Scanners aren't able to do anything unless your application is vulnerable.

At this stage, I would say let the scanners run.  It'd be best for you to find out about a vulnerability now than after you release it.
 
Last edited by a moderator:

fixidixi

Active Member
"you should make sure your application doesn't have a vulnerability to take advantage of"

well it most surely is going to have vulnerabilities the only question is if they can patch&release&upgrade the sw in time. and of course regular sec audits are welcome with sw handling money :)
 

PortCTL

New Member
"you should make sure your application doesn't have a vulnerability to take advantage of"

well it most surely is going to have vulnerabilities the only question is if they can patch&release&upgrade the sw in time. and of course regular sec audits are welcome with sw handling money :)
That's true, like yesterday vld reported a XSS, and after a few changes it was fixed, and an update was pushed. The XSS with POC will be posted under full disclosures shortly.
 

PortCTL

New Member
A big update. New design, two designs built-in, easier to customize, and more.

2nAo19O.png

va6zE22.png

chRUFCS.png

QRH0Slo.png

QxZdNeH.png

ws9Y76w.png

1sqBbfX.png

CB5twW1.png

02AMeGj.png

Cy74WAp.png

Will post more screenshots later.

Code changed: Fixed XSS vulnerabilities, switched from md5() to password_hash and password_verify for more security.
 

InertiaNetworks-Ryan

New Member
Verified Provider
Sigh... There is no organization to this project what so ever.

The XSS should of never happened in the first place because you ALWAYS SANITIZE YOUR INPUTS. The md5 hashing for passwords was a disgrace. There is no MVC structure to anything. Why is there header and footer HTML code on every single page...

I'm really starting to worry... If you initially stored your passwords using md5, I'm wondering what you're gonna use for credit card information.
 

PortCTL

New Member
Sigh... There is no organization to this project what so ever.


The XSS should of never happened in the first place because you ALWAYS SANITIZE YOUR INPUTS. The md5 hashing for passwords was a disgrace. There is no MVC structure to anything. Why is there header and footer HTML code on every single page...

I'm really starting to worry... If you initially stored your passwords using md5, I'm wondering what you're gonna use for credit card information.
If you view the newer edition, it's better than it was before.

Development editions, as stated, "not suggested in production usage"
 

PortCTL

New Member
Working on the backend panel, should have an update pushed to github hopefully within the next day or so.
 
Top
amuck-landowner