GreySec Forums

Full Version: is my site secure from common hacking?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
after looking around a bit, i see that this is more of a hacking site than security. Albeit, security doesn't exist without hacking. Therefore, i came to the right place afterall. x

so, i'm developing a subscription based website (pay me to enjoy my services).
i'm trying to stop common hackers from messing with my site. i've read as much as i can and implemented all that i understand.
i'm new to php and security and i'm not a hacker at all. i couldn't hack a site if you gave me anything less than a dummies tutorial step-by-step.
i can't afford to pay someone to make my site, so i hack the code myself.
i want an honest opinion about my tactics. is my code safe from basic hacks or not?

a little inspiration: https://www.youtube.com/watch?v=Dsggg1vQELc

Code:
function quake($ttl) {
$ttl += time();
$message = session_id() . bin2hex(random_bytes(32));
$key1 = base64_encode(random_bytes(64));
$key2 = base64_encode(random_bytes(64));
$key1 = base64_decode($key1);
$key2 = base64_decode($key2);
$twist = hash_hmac('sha3-512', $message, $key1, TRUE);
$shake = hash_hmac('sha3-512', $twist, $key2);
$quake = implode('-', [$shake, $ttl]);
return $shake;
}

should i use iterations on the csrf token hashes?

after form submission:
explode the tokens to a list, then compare timestamps (session variable and post data)
use hash_equals to compare the tokens
compare the random input name with the random value
Code:
$_SESSION['inputName'] = bin2hex(random_bytes(12));
$_SESSION['inputValue'] = bin2hex(random_bytes(12));
<input type="submit" name="<?php echo $_SESSION['inputName']; ?>" value="<?php echo $_SESSION['inputValue']; ?>" />
use css to overlap a value and hide the random value

database
Code:
$dbh = new PDO("mysql:host=$host; dbname=$dbname; charset=utf8mb4", $dbuser, $dbpass, $dbatt);
$query = 'SELECT username, password FROM members WHERE username = :PostUser';

if (hash_equals($dbusercolumn, $username) && password_verify($password, $dbpasshash)) {

i am under the impression that hash_equals will thwart a timing attack in addition to precision comparison
i am also under the impression that pdo will stop injection attacks.

the only way to access the login form is to submit a csrf token protected button labelled login.
one form is used to access a second form.
the login form is restricted to $tries count. three strikes and you out.
login button form submits to a different form called password recovery which prompts for a customer id number as a request for an email containing a token used for resetting password.
i show general errors: username and password cannot be verified.

my headers are nocache, nostore. no javascript is implemented on the page. only post requests are used throughout the entire site. content-security policy headers and meta tags are present.
css files are unique for login page (not associated with the rest of the site). main.css for site, smain.css for login. i could easily generate random css if it is necessary for protection.
i also implement a honeypot field for dumb bots.

is this a good start?
honestly, i want to know how a hacker could defeat this system. how can i make it stronger?
I don't really code in PHP so I can't attest to the strength (or lack thereof) your code. But I can tell you that this is only a miniscule part of your site overall. There are an infinite amount of ways to get into your site. The only limit is an attackers' imagination. The fact that you care this much about security is a good sign. But what you're asking is like asking if people are good or bad based on one person. I wouldn't post the name of your site. But if you want to PM it to people for them to look at, maybe we could be more helpful. Completely up to you of course and I understand if you're hesitant.