04-29-2019, 01:32 PM
after looking around a bit, i see that this is more of a hacking site than security. Albeit, security doesn't exist without hacking. Therefore, i came to the right place afterall. x
so, i'm developing a subscription based website (pay me to enjoy my services).
i'm trying to stop common hackers from messing with my site. i've read as much as i can and implemented all that i understand.
i'm new to php and security and i'm not a hacker at all. i couldn't hack a site if you gave me anything less than a dummies tutorial step-by-step.
i can't afford to pay someone to make my site, so i hack the code myself.
i want an honest opinion about my tactics. is my code safe from basic hacks or not?
a little inspiration: https://www.youtube.com/watch?v=Dsggg1vQELc
should i use iterations on the csrf token hashes?
after form submission:
explode the tokens to a list, then compare timestamps (session variable and post data)
use hash_equals to compare the tokens
compare the random input name with the random value
use css to overlap a value and hide the random value
database
i am under the impression that hash_equals will thwart a timing attack in addition to precision comparison
i am also under the impression that pdo will stop injection attacks.
the only way to access the login form is to submit a csrf token protected button labelled login.
one form is used to access a second form.
the login form is restricted to $tries count. three strikes and you out.
login button form submits to a different form called password recovery which prompts for a customer id number as a request for an email containing a token used for resetting password.
i show general errors: username and password cannot be verified.
my headers are nocache, nostore. no javascript is implemented on the page. only post requests are used throughout the entire site. content-security policy headers and meta tags are present.
css files are unique for login page (not associated with the rest of the site). main.css for site, smain.css for login. i could easily generate random css if it is necessary for protection.
i also implement a honeypot field for dumb bots.
is this a good start?
honestly, i want to know how a hacker could defeat this system. how can i make it stronger?
so, i'm developing a subscription based website (pay me to enjoy my services).
i'm trying to stop common hackers from messing with my site. i've read as much as i can and implemented all that i understand.
i'm new to php and security and i'm not a hacker at all. i couldn't hack a site if you gave me anything less than a dummies tutorial step-by-step.
i can't afford to pay someone to make my site, so i hack the code myself.
i want an honest opinion about my tactics. is my code safe from basic hacks or not?
a little inspiration: https://www.youtube.com/watch?v=Dsggg1vQELc
Code:
function quake($ttl) {
$ttl += time();
$message = session_id() . bin2hex(random_bytes(32));
$key1 = base64_encode(random_bytes(64));
$key2 = base64_encode(random_bytes(64));
$key1 = base64_decode($key1);
$key2 = base64_decode($key2);
$twist = hash_hmac('sha3-512', $message, $key1, TRUE);
$shake = hash_hmac('sha3-512', $twist, $key2);
$quake = implode('-', [$shake, $ttl]);
return $shake;
}
should i use iterations on the csrf token hashes?
after form submission:
explode the tokens to a list, then compare timestamps (session variable and post data)
use hash_equals to compare the tokens
compare the random input name with the random value
Code:
$_SESSION['inputName'] = bin2hex(random_bytes(12));
$_SESSION['inputValue'] = bin2hex(random_bytes(12));
<input type="submit" name="<?php echo $_SESSION['inputName']; ?>" value="<?php echo $_SESSION['inputValue']; ?>" />
database
Code:
$dbh = new PDO("mysql:host=$host; dbname=$dbname; charset=utf8mb4", $dbuser, $dbpass, $dbatt);
$query = 'SELECT username, password FROM members WHERE username = :PostUser';
if (hash_equals($dbusercolumn, $username) && password_verify($password, $dbpasshash)) {
i am under the impression that hash_equals will thwart a timing attack in addition to precision comparison
i am also under the impression that pdo will stop injection attacks.
the only way to access the login form is to submit a csrf token protected button labelled login.
one form is used to access a second form.
the login form is restricted to $tries count. three strikes and you out.
login button form submits to a different form called password recovery which prompts for a customer id number as a request for an email containing a token used for resetting password.
i show general errors: username and password cannot be verified.
my headers are nocache, nostore. no javascript is implemented on the page. only post requests are used throughout the entire site. content-security policy headers and meta tags are present.
css files are unique for login page (not associated with the rest of the site). main.css for site, smain.css for login. i could easily generate random css if it is necessary for protection.
i also implement a honeypot field for dumb bots.
is this a good start?
honestly, i want to know how a hacker could defeat this system. how can i make it stronger?