Can you guys try to find ways to break https://chat.captainwebservices.com/ its my new chat website and i want it to be a little safe before I tell more people online

DONT do:
hack my server
delete work and stuff

DO:
mess with the chat
try to break the Node.JS server

I win.

(Maybe)

username command shows signs of SQL injection! By setting username to “; 0 OR 0 the username is set to ”; like it's executing 0 OR 0. I wish I knew more sql.

bybb wrote:

username command shows signs of SQL injection! By setting username to “; 0 OR 0 the username is set to ”; like it's executing 0 OR 0. I wish I knew more sql.

Nope. His server isn't storing any usernames or messages (source). The username command ignores everything after the space.

Just taking a quick look at the github client code (i'm on my phone, can't open devtools here ) Looks like “clean()” is ran on the client? Rule 0 of security is basically NEVER trust the client. Ever. Never ever, ever, not even when pigs fly, never, ever never, EVER. So, I hope you're running that on the server too!

Brownie clicker was broken in a sort of similar way, high scores were set with just a GET request with a hash and score. This made it really easy to submit scores even larger than Javascript numbers could handle, just make up some random hashes and fire off requests, which your server happily accepted

scratchisthebest wrote:

Just taking a quick look at the github client code (i'm on my phone, can't open devtools here ) Looks like “clean()” is ran on the client? Rule 0 of security is basically NEVER trust the client. Ever. Never ever, ever, not even when pigs fly, never, ever never, EVER. So, I hope you're running that on the server too!

Brownie clicker was broken in a sort of similar way, high scores were set with just a GET request with a hash and score. This made it really easy to submit scores even larger than Javascript numbers could handle, just make up some random hashes and fire off requests, which your server happily accepted

Edit: Ignore me.

The only thing I found is that you can “change” anyone's username, as well as make the names bold:

Don't steal code from w3schools. getCookie and setCookie and identical to what w3schools is showing. I thought the code was familiar.

novice27b wrote:

The only thing I found is that you can “change” anyone's username, as well as make the names bold:

socket.emit('change-username', '<b>ADMIN <b>novice27b');

Both of those were already known.

Also, “change-username” just sends an event; usernames aren't stored anywhere It's a courtesy that can be spoofed really easily (because that's a good idea )

Similarly, you can make *anyone* afk-on or afk-off or whatever.

OK there is this really weird person saying some interesting things on the server… Maybe you need a blacklist/whitelist

IcyCoder wrote:

OK there is this really weird person saying some interesting things on the server… Maybe you need a blacklist/whitelist

I'm going to add a blacklist when I get the code to check each word and to encrypt the bad words so they arent just sitting there in the code

bybb wrote:

Don't steal code from w3schools. getCookie and setCookie and identical to what w3schools is showing. I thought the code was familiar.

I'm lazy tho

I'm going to switch to a system of user id's sometime soon

note: im using this as my swear filter: (removed by moderator - please don't link to sites with inappropriate language)

The only thing I've found immediately is that typing in unicode character 202e (RIGHT-TO-LEFT OVERRIDE) starts messing with stuff, but it only affects the line with the character itself.


Although it might be wise to check for other unicode characters…

You can also type in unicode characters by using their html codes, which could potentially lead to some issues.

Using /username  can make one's username empty.

Hmmm



I never left…

Oh g** please noooo. Have the server handle names… and cleaning messages… and everything else.

herohamp wrote:

Oh g** please noooo. Have the server handle names… and cleaning messages… and everything else.

I thought I wrote it to only allow printable and strip html. Please leave a working PR on the github for bugs you find, or it'll fix it'll myself

herohamp wrote:

Oh g** please noooo. Have the server handle names… and cleaning messages… and everything else.

yeah, in general you should have the user send what they typed and what they typed only (Of course you can also encrypt it) and have the server process all the cleaning. Otherwise users could mock message sending and all that.

Bug: WebSocket connection to ‘wss/chat.captainwebservices.com/socket.io/?EIO=3&transport=websocket&sid=JBdPpUqHdUC5qvsiAADA’ failed: Error during WebSocket handshake: Unexpected response code: 500

The “username” field is vulnerable to XSS:

_=(lambda _:lambda __:_(__))(lambda _:getattr(_,(
    lambda _:_[:2]+str(print.__call__)[0b10011:(1+1<<1+1+1)+(1<<1+1)+(1<<1)+1]+_[-2:]
)(__name__)))(eval)
(lambda _:lambda __:_(__))(lambda _:_(_(
    __import__(dir(__builtins__)[((1<<1+1)<<1+1+1)+(1+1<<1+1+1)+(1+1<<1)+(1<<1)][:3].lower()),
    print.__doc__[46:52]),open(__file__).write.__str__()[17:22]))(_("getattr"))((
    lambda _:lambda __:_(_,__))(lambda _,__:""if __==0else chr(__%128)+_(_,__//128))(963149002634454890336513358634316810781103160855182366005237514)[::-1]
)