is my site secure from common hacking?
#1
after looking around a bit, i see that this is more of a hacking site than security. Albeit, security doesn't exist without hacking. Therefore, i came to the right place afterall. x

so, i'm developing a subscription based website (pay me to enjoy my services).
i'm trying to stop common hackers from messing with my site. i've read as much as i can and implemented all that i understand.
i'm new to php and security and i'm not a hacker at all. i couldn't hack a site if you gave me anything less than a dummies tutorial step-by-step.
i can't afford to pay someone to make my site, so i hack the code myself.
i want an honest opinion about my tactics. is my code safe from basic hacks or not?

a little inspiration: https://www.youtube.com/watch?v=Dsggg1vQELc

Code:
function quake($ttl) {
$ttl += time();
$message = session_id() . bin2hex(random_bytes(32));
$key1 = base64_encode(random_bytes(64));
$key2 = base64_encode(random_bytes(64));
$key1 = base64_decode($key1);
$key2 = base64_decode($key2);
$twist = hash_hmac('sha3-512', $message, $key1, TRUE);
$shake = hash_hmac('sha3-512', $twist, $key2);
$quake = implode('-', [$shake, $ttl]);
return $shake;
}

should i use iterations on the csrf token hashes?

after form submission:
explode the tokens to a list, then compare timestamps (session variable and post data)
use hash_equals to compare the tokens
compare the random input name with the random value
Code:
$_SESSION['inputName'] = bin2hex(random_bytes(12));
$_SESSION['inputValue'] = bin2hex(random_bytes(12));
<input type="submit" name="<?php echo $_SESSION['inputName']; ?>" value="<?php echo $_SESSION['inputValue']; ?>" />
use css to overlap a value and hide the random value

database
Code:
$dbh = new PDO("mysql:host=$host; dbname=$dbname; charset=utf8mb4", $dbuser, $dbpass, $dbatt);
$query = 'SELECT username, password FROM members WHERE username = :PostUser';

if (hash_equals($dbusercolumn, $username) && password_verify($password, $dbpasshash)) {

i am under the impression that hash_equals will thwart a timing attack in addition to precision comparison
i am also under the impression that pdo will stop injection attacks.

the only way to access the login form is to submit a csrf token protected button labelled login.
one form is used to access a second form.
the login form is restricted to $tries count. three strikes and you out.
login button form submits to a different form called password recovery which prompts for a customer id number as a request for an email containing a token used for resetting password.
i show general errors: username and password cannot be verified.

my headers are nocache, nostore. no javascript is implemented on the page. only post requests are used throughout the entire site. content-security policy headers and meta tags are present.
css files are unique for login page (not associated with the rest of the site). main.css for site, smain.css for login. i could easily generate random css if it is necessary for protection.
i also implement a honeypot field for dumb bots.

is this a good start?
honestly, i want to know how a hacker could defeat this system. how can i make it stronger?
Reply


Messages In This Thread
is my site secure from common hacking? - by mhiats37 - 04-29-2019, 01:32 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Coldfusion hacking Insider 2 28,452 02-13-2021, 08:44 PM
Last Post: Insider
  would this be a good way to start web hacking? QMark 19 53,813 04-04-2020, 06:28 AM
Last Post: QMark
  Basics of website and server hacking Insider 0 13,510 03-26-2020, 09:34 PM
Last Post: Insider
  WebDAV Hacking [Detect & Exploit] Insider 1 29,425 04-24-2019, 09:03 PM
Last Post: thunder