You are viewing our Forum Archives. To view or take place in current topics click here.
Opinions for this Website Control Panel? (Try and Hack!)
Posted:
Opinions for this Website Control Panel? (Try and Hack!)Posted:
Status: Offline
Joined: Aug 18, 201014Year Member
Posts: 466
Reputation Power: 20
Status: Offline
Joined: Aug 18, 201014Year Member
Posts: 466
Reputation Power: 20
Hey
I started making this control panel 2 days ago, and ive come up with this so far:
[ Register or Signin to view external links. ]
Screenshot:
Please take a look at it and tell me what you think of the design, and if you were a customer, if you would be happy to have this in your purchased project.
If your a good hacker, could you also try and hack the login script and see if you can gain access without using the proper values. If you have managed to, please can you tell me how so i can fix it
Username: Demo (Not case sensitive)
Password: demopass (case sensitive)
I started making this control panel 2 days ago, and ive come up with this so far:
[ Register or Signin to view external links. ]
Screenshot:
Please take a look at it and tell me what you think of the design, and if you were a customer, if you would be happy to have this in your purchased project.
If your a good hacker, could you also try and hack the login script and see if you can gain access without using the proper values. If you have managed to, please can you tell me how so i can fix it
Username: Demo (Not case sensitive)
Password: demopass (case sensitive)
#2. Posted:
Status: Offline
Joined: Jun 08, 201014Year Member
Posts: 2,466
Reputation Power: 1070
Motto: I've been watching you all day.
Motto: I've been watching you all day.
Status: Offline
Joined: Jun 08, 201014Year Member
Posts: 2,466
Reputation Power: 1070
Motto: I've been watching you all day.
It looks good, personally I think it's a bit too red, but that's just me ;)
The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.
It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.
Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.
The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.
It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.
Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.
- 1useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Mar 29, 201212Year Member
Posts: 164
Reputation Power: 7
Status: Offline
Joined: Mar 29, 201212Year Member
Posts: 164
Reputation Power: 7
Looks pretty nice the the whole dashboard concept looks really nicely laid out. Also when ime not busy i will try hack the login concept.
- 0useful
- 1not useful
#4. Posted:
Status: Offline
Joined: Aug 18, 201014Year Member
Posts: 466
Reputation Power: 20
Status: Offline
Joined: Aug 18, 201014Year Member
Posts: 466
Reputation Power: 20
Nicasus wrote It looks good, personally I think it's a bit too red, but that's just me ;)
The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.
It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.
Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.
Thanks for all your advice i was planning on adding in a non-javascript version of the login abit later, and i already have salts/hashes for the passwords ;)
I think i may try and add some form of maximum queries per minute or something to try and prevent attacks like that, so maybe a maximum of say 30 ajax requests per 10 minutes or something (unless they actually log in)
- 0useful
- 0not useful
#5. Posted:
Status: Offline
Joined: Jul 12, 201014Year Member
Posts: 2,684
Reputation Power: 122
Status: Offline
Joined: Jul 12, 201014Year Member
Posts: 2,684
Reputation Power: 122
iiLagZz_x wroteNicasus wrote It looks good, personally I think it's a bit too red, but that's just me ;)
The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.
It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.
Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.
Thanks for all your advice i was planning on adding in a non-javascript version of the login abit later, and i already have salts/hashes for the passwords ;)
I think i may try and add some form of maximum queries per minute or something to try and prevent attacks like that, so maybe a maximum of say 30 ajax requests per 10 minutes or something (unless they actually log in)
30 per 10 mins wouldn't be enough really unless your credentials are short and simple. For example:
username: jordanadams
password: c0mPLEX_ity
The above is 22 characters. Add to that typos, potentially longer usernames/passwords and you could easily make 30 requests. I would personally avoid the whole idea of trying to login on keydown/keyup and instead just put a button there. Other reasons to avoid the approach you've taken are performance and bandwidth restrictions on mobile devices and the fact that this would probably break any browser-based password memory.
- 0useful
- 0not useful
#6. Posted:
Status: Offline
Joined: Apr 01, 201212Year Member
Posts: 30
Reputation Power: 1
Status: Offline
Joined: Apr 01, 201212Year Member
Posts: 30
Reputation Power: 1
i have tried hacking hacking the login concept its a bitch to crack nice work i have given up trying to do it
- 0useful
- 1not useful
#7. Posted:
Status: Offline
Joined: Aug 18, 201014Year Member
Posts: 466
Reputation Power: 20
Status: Offline
Joined: Aug 18, 201014Year Member
Posts: 466
Reputation Power: 20
-Jordan- wroteiiLagZz_x wroteNicasus wrote It looks good, personally I think it's a bit too red, but that's just me ;)
The effect with the jQuery is nice. But the fact that it constantly authenticates with every change makes it so much easier to use brute force/dictionary attacks.
It also seems that without Javascript enabled the login is broken. You cannot get past filling out the username (not to mention there's a loading icon while nothing is actually loading). If you decide to rely on jQuery so much that logging in without Javascript is impossible, you might want to deny access to those who have it disabled. TTG for example cannot be accessed without Javascript enabled.
Also, be sure to hash+salt your passwords, limit the access of your database user, escape characters for database queries, etc.
Thanks for all your advice i was planning on adding in a non-javascript version of the login abit later, and i already have salts/hashes for the passwords ;)
I think i may try and add some form of maximum queries per minute or something to try and prevent attacks like that, so maybe a maximum of say 30 ajax requests per 10 minutes or something (unless they actually log in)
30 per 10 mins wouldn't be enough really unless your credentials are short and simple. For example:
username: jordanadams
password: c0mPLEX_ity
The above is 22 characters. Add to that typos, potentially longer usernames/passwords and you could easily make 30 requests. I would personally avoid the whole idea of trying to login on keydown/keyup and instead just put a button there. Other reasons to avoid the approach you've taken are performance and bandwidth restrictions on mobile devices and the fact that this would probably break any browser-based password memory.
I recently changed it to not use keyup/keydown, instead it detects when you have stopped typing for half a second, then if you havent typed for half a second it submits it. To try and save the requests, there will also be a mobile-specific skin which will have virtually no javascript on it
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.