try to "hack" my login.

capasha · 2016-08-01 20:07:54

hummerz5 wrote:

Can someone explain to me how finding cookies is actually difficult?
It seems to presumptuous of me to assume you guys don't know about how easy it is to find cookies.
Are you sure they're "Cookies" and not something else? I can't see the webpage to show how easy or difficult it would be to find the ecookie, soooo

If it's so easy. Why didn't I find it with all methods I have used?
Maybe I'm too stupid then. The cookie would only be set when the user login.
And I can't find the cookie on admin.php either.

Try to find this cookie: http://trustno1.info/eeditor/admin.php

hummerz5 · 2016-08-02 01:04:32

hummerz5 wrote:

It seems too presumptuous

^ it seems it was.

I wanted to see what detail I was missing. Whatever method he actually used, it seems relevant to explain that as a security flaw as well. He's holdin' out on ya

capasha wrote:

The cookie would only be set when the user login.

that's the clincher it seems.

Nou · 2016-08-02 01:23:07

capasha wrote:

daemon wrote:
Just a reminder for Capasha that I qualify for
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Although I have been waiting eagerly (Do not mistake me for a moneygrubber though), I have not yet received 220 gems (PM me for my ingame name).
Cheers.
1) I can't get a gem code
2) I still need to know how you got that cookie. Because bruteforcing or dictionary attack my page wont work.
If you can't tell how you found it. I can't give you anything. I'm sorry for that.
hummerz5 wrote:
Wait was the login cookie something like userID or username in plaintext? If so, I get it. But if he had a random string, hashed in the DB, isn't that the way to do remember me systems?
It was a cookie with a name, if anyone set a value to it they would be able to login. I'm sorry that I'm bad at MySQL and PHP.

You can always ask an admin to convert it into a gem code.

Bobithan · 2016-08-02 01:41:26

Nou wrote:

You can always ask an admin to convert it into a gem code.

You mean to tell me we can still do this???

Xfrogman43 · 2016-08-02 02:29:45

Bobithan wrote:

Nou wrote:
You can always ask an admin to convert it into a gem code.
You mean to tell me we can still do this???

Yes, but not custom ones.

capasha · 2016-08-02 11:49:05

Nou wrote:

capasha wrote:
daemon wrote:
Just a reminder for Capasha that I qualify for
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Although I have been waiting eagerly (Do not mistake me for a moneygrubber though), I have not yet received 220 gems (PM me for my ingame name).
Cheers.
1) I can't get a gem code
2) I still need to know how you got that cookie. Because bruteforcing or dictionary attack my page wont work.
If you can't tell how you found it. I can't give you anything. I'm sorry for that.
hummerz5 wrote:
Wait was the login cookie something like userID or username in plaintext? If so, I get it. But if he had a random string, hashed in the DB, isn't that the way to do remember me systems?
It was a cookie with a name, if anyone set a value to it they would be able to login. I'm sorry that I'm bad at MySQL and PHP.
You can always ask an admin to convert it into a gem code.

I sent a pm to NVD. And I have seen him on the forums. So yes I guess he doesn't care anyway.

hummerz5 wrote:

hummerz5 wrote:
It seems too presumptuous
^ it seems it was.
I wanted to see what detail I was missing. Whatever method he actually used, it seems relevant to explain that as a security flaw as well. He's holdin' out on ya
capasha wrote:
The cookie would only be set when the user login.
that's the clincher it seems.

I still don't trust this. I shared the code to Dadito. He could have shared it to anyone. The cookie name was inside the code.
Chat on TV with Dadito. When I sent the code.

daemon · 2016-08-02 22:08:32

Finding a cookie is rather easy when either already created and not expired (The cookie is then stored and visible) or visible in client-side code (Javascript most often).
Capasha wonders how I retrieved the cookiename because neither of both situations was satisfied; The cookie would only be created if logged in successfully and was not visible in client-, but only in server-side (PHP) code.

Capasha, keep your gems if you do not think that 'LoginCookie' is a plausible name present in a dictionary used to set lots of cookies.
In comparison, it's like using 'Password123' while sure that no one would guess that; dumb.

hummerz5 · 2016-08-02 22:16:15

But you claimed you managed some other way and insofar haven't directly laid claim to it. Was it the dictionary method or no?

Here I was wondering if there was some way to CSRF and get his cookies for that site, but I don't think it works like that.

daemon · 2016-08-03 14:16:45

Dictionary attacks usually are the last (and most time-consuming) resort, which is why I stumbled upon another method (One that does not present a threat) first.
The point is that I exploited his login and found at least one security issue, hence I satisfy his condition (Its logically inconsistent if I did not..):

220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.

Last but not least I provided details on how to fix these issues.

capasha · 2016-08-03 19:47:12

daemon wrote:

Dictionary attacks usually are the last (and most time-consuming) resort, which is why I stumbled upon another method (One that does not present a threat) first.
The point is that I exploited his login and found at least one security issue, hence I satisfy his condition (Its logically inconsistent if I did not..):
220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.
Last but not least I provided details on how to fix these issues.

The password is encrypted with salt. I don't know how you can say its not.
The password was also used special characters and a length of 32.
I guess you must have a really good computer that can crack the password so fast and also a lot of proxies to bruteforce on my site. Which will block an ip that tries too many times.

You are still trying to ignore how you got the cookie. So I don't see a reason to give you any gems.

daemon · 2016-08-03 22:26:55

The password is encrypted with salt. I don't know how you can say its not.
The password was also used special characters and a length of 32.
I guess you must have a really good computer that can crack the password so fast and also a lot of proxies to bruteforce on my site. Which will block an ip that tries too many times.

1. I did not mention anything related to password cracking, especially I haven't said the password isn't encrypted with a salt. (What makes you think I said this?!)
2. I was talking about a dictionary attack; a long list of cookie names which are set during the attack, such that if a successful login depends on the presence of a cookie, then this attack might exploit that. What I have been saying for days now is that 'LoginCookie' is a plausible name for a cookie that is set when logged in, and therefore surely must be on the list.

You are still trying to ignore how you got the cookie. So I don't see a reason to give you any gems.

Yes I am. Keeping that method secret is worth more than any amount of money to me. But let's face it:
A: I exploited your login obviously by setting that cookie.
B: I found numerous security issues;

Some serious (exploitable) issues you are facing;
- Cookies are client-side and should not be used for authentication nor authorization.
- Passwords are not encrypted (preferably with a salt to prevent cracking by rainbow tables) and go insecurely over the wire.

^ Note that I didn't say that the passwords aren't salted, I said you havent got HTTPS.

Now from

220 gems code to Everybody Edits. To the one that can exploit my login, or find any security issues.

or written as a proposition; "Exploit my login or find any security issues -> you will receive 220 gems"
and the truth of A and B, I deduce that I will receive 220 gems.

Anyone (hummerz5?) to back me up here or am I the only rational thinker?

Xfrogman43 · 2016-08-03 23:00:45

He probably wants you to tell him how you did it so he can learn from it so it doesnt happen again... you can always just PM him

hummerz5 · 2016-08-04 00:34:10

daemon, I don't doubt you earned the prize for that fancy image. I'm just personally curious as to your method worth more than money. I can see it either being illegal and you can't dare admit it, or incredibly obscure and you don't want to lose the rarity.

Also, you did mention salts, perhaps the wording was off? dunno.

again, tl;dr, yes you satisfied the conditions

daemon · 2016-08-04 01:58:28

Okay.. The broken glass on the floor under the window in in the web- and dnsserverroom hosting his site wasn't an ordinary accident, I should have cleaned it up.
Jokes aside, the method simply loses its effectibility when exposed to the public.
Furthermore when exposed, software authors have 0-days to plan and advise any mitigation against its exploitation.
However you could say it makes 'the internet' safer.

Sorry, but (personally) effectibility outweighs the others.

capasha · 2016-08-11 17:51:11

daemon wrote:

Okay.. The broken glass on the floor under the window in in the web- and dnsserverroom hosting his site wasn't an ordinary accident, I should have cleaned it up.
Jokes aside, the method simply loses its effectibility when exposed to the public.
Furthermore when exposed, software authors have 0-days to plan and advise any mitigation against its exploitation.
However you could say it makes 'the internet' safer.
Sorry, but (personally) effectibility outweighs the others.

You are going to get the gems when I have more money. Because you said much more things than the cookie.
If you doesn't want to tell about cookie, then its fine.

Official Everybody Edits Forums

#26 2016-08-01 20:07:54

Re: try to "hack" my login.

#27 2016-08-02 01:04:32

Re: try to "hack" my login.

#28 2016-08-02 01:23:07

Re: try to "hack" my login.

#29 2016-08-02 01:41:26

Re: try to "hack" my login.

#30 2016-08-02 02:29:45

Re: try to "hack" my login.

#31 2016-08-02 11:49:05, last edited by capasha (2016-08-02 12:07:00)

Re: try to "hack" my login.

#32 2016-08-02 22:08:32

Re: try to "hack" my login.

#33 2016-08-02 22:16:15

Re: try to "hack" my login.

#34 2016-08-03 14:16:45, last edited by daemon (2016-08-03 14:17:39)

Re: try to "hack" my login.

#35 2016-08-03 19:47:12

Re: try to "hack" my login.

#36 2016-08-03 22:26:55, last edited by daemon (2016-08-03 22:28:16)

Re: try to "hack" my login.

#37 2016-08-03 23:00:45

Re: try to "hack" my login.

#38 2016-08-04 00:34:10

Re: try to "hack" my login.

#39 2016-08-04 01:58:28, last edited by daemon (2016-08-04 01:59:04)

Re: try to "hack" my login.

#40 2016-08-11 17:51:11

Re: try to "hack" my login.

Board footer