Jump to content
Team Avolition
KimChoJapFan

Lessons in Delinquency: A Novella from yours truly

Recommended Posts

Prelude

This thread will cover the pitfalls that I have encountered in the past when working with web development.
This is not going to be a guide on how to exploit websites, this is simply here as a precaution so you can learn from my mistakes.

 

Story One
My Username Redirects Everyone to Pornography

 

    There's this nifty language called Javascript that is interpreted by the browser which allows for sites to be changed dynamically when it's not breaking sites or eating up your system resources because of shoddy implementation by the browser itself (see drive-by downloads from old Internet Explorer). Nobody I have ever encountered learns to filter inputs the easy way, we seem to have always learned through hindsight when someone comes along to break your precious site. I spent a good few years working with private servers for a game called Adventure Quest Worlds which was this gaudy flash game that acted like an MMO, but with none of the desired features of other MMOs that we know and have sunk more time and money into than we would want to admit. Most of the private servers that crop up before being DMCA'ed by Artix reuse code from a project named DuskWorlds.

    Most of these private servers tend to include a top-100 page for all created characters for bragging purposes or something. These pages will display the usernames without filtering them and so you can stylize your username in many ways. The flash content does make an attempt at filtering inputs by whitelisting alphanumeric characters when creating a username, but this data is passed onto a backend file which isn't filtering the inputs before storing them in the database. You can essentially skip the whole flash route and send the form data manually through your browser to the chagrin of whomever owns the site.

    Javascript has a function to redirect visitors to other sites on the internet and many ways of carrying out this redirection. My username was going to wind up on the top-100 page since there's less than 100 players on the server, and my username was going to show up raw and unfiltered for all of those who dare to peruse the top-100 page. So I simply had to make my username a Javascript redirect wrapped in the HTML script tags in order to get things messy. The simplest choice for me was where I wanted everyone to wind up when viewing my username: Pornhub. So I created my account with the username "<script>document.location = "https://pornhub.com"</script>" and waited for the owner to notice.

    It took about a week before I received an angry email from the owner that was written in fluent keyboard warrior. Apparently the site had an admin control panel (ACP) which was also allergic to filtering inputs and so any attempts to delete my account without going through the database would end up redirecting the site staff to Pornhub. I like to believe that my sides have already met up with the New Horizons space probe near Pluto by now because it took a good chunk of my day to recover from the laughter. A part of me felt bad since I knew how to fix things but the other part of me was embracing the catharsis because of the contents of the angry email and threat of legal actions.

    If you ever plan on creating an Adventure Quest Worlds private server, just know to avoid DuskWorlds and any other packs that have a top-100 page if you don't know how to check for filtered inputs. Hopefully nobody here attempts to go out and find these servers to copy this since Artix will get the servers shut down with legal actions in the end. The only regrets I have from this incident is that I forgot to save the email and screenshots.

 

Story Two
Just Say No to Regular Expressions

 

    There was a time where I wanted to give MyBB the middle finger and create my own forum software that would rival MyBB, PhpBB, IPB, XenForo, and Woltlab. This endeavor was short-lived and it was for the best since I was a shining example of the Dunning-Kruger Effect. One of the features from most forums I frequented was something called BBCode which allowed for people to format their threads and posts in a secure manner. When I was building the post function I would often encounter issues with the htmlspecialchars function that I was using to filter inputs where it would escape the brackets used in BBCode. That's when I decided to take the regex (regular expressions) route which allowed for people to use BBCode while protecting from basic XSS (cross-site scripting) attempts.

    The method I used was similar to a blacklist where I filtered out any tags pertaining to <script> and </script> from the posts using preg_replace in PHP. This was before I learned about DOM-based attacks and that's when I started noticing posts that involved the SVG tag which would send a Javascript browser alert containing expletives, h4x0r team names with shoutouts, and taunts towards me due to my incompetence. A quick skim through the database confirmed that there was an issue and that I was unable to handle those at the time using regex, so I reverted back to htmlspecialchars and eventually gave up on the project entirely. 

   I do happen to have a recording of me showing the vulnerability of my project but not a recording of the attacks. My reason for making the video was to show the project members why I was abandoning the project and why I had taken the site down at the time. Here's the video I uploaded showing the many ways that regex failed to keep my site safe.

 

To Be Continued...

I plan to add more stories to this thread since I'm not out of stories to tell.

I'm just burned out at the moment since I have to get other things done and writing this thread can't take up the rest of my day.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×