Discuss Scratch
- Discussion Forums
- » Advanced Topics
- » can u advanced haxors do something for me?
- DatOneLefty
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Can you guys try to find ways to break https://chat.captainwebservices.com/ its my new chat website and i want it to be a little safe before I tell more people online
DONT do:
hack my server
delete work and stuff
DO:
mess with the chat
try to break the Node.JS server
DONT do:
hack my server
delete work and stuff
DO:
mess with the chat
try to break the Node.JS server
Scratch data available at ScratchDB (Status)
Posts: bf97b44a7fbd33db070f6ade2b7dc549 (btw i use arch)
- bobbybee
- Scratcher
1000+ posts
can u advanced haxors do something for me?
I win.
(Maybe)
(Maybe)
Last edited by bobbybee (April 24, 2017 00:17:08)
“Ooo, can I call you Señorita Bee?” ~Chibi-Matoran
- bybb
- Scratcher
1000+ posts
can u advanced haxors do something for me?
username command shows signs of SQL injection! By setting username to “; 0 OR 0 the username is set to ”; like it's executing 0 OR 0. I wish I knew more sql.
- nathanprocks
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Nope. His server isn't storing any usernames or messages ( username command shows signs of SQL injection! By setting username to “; 0 OR 0 the username is set to ”; like it's executing 0 OR 0. I wish I knew more sql.source). The username command ignores everything after the space.
Last edited by nathanprocks (April 24, 2017 08:50:21)
- scratchisthebest
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Just taking a quick look at the github client code (i'm on my phone, can't open devtools here ) Looks like “clean()” is ran on the client? Rule 0 of security is basically NEVER trust the client. Ever. Never ever, ever, not even when pigs fly, never, ever never, EVER. So, I hope you're running that on the server too!
Brownie clicker was broken in a sort of similar way, high scores were set with just a GET request with a hash and score. This made it really easy to submit scores even larger than Javascript numbers could handle, just make up some random hashes and fire off requests, which your server happily accepted
Brownie clicker was broken in a sort of similar way, high scores were set with just a GET request with a hash and score. This made it really easy to submit scores even larger than Javascript numbers could handle, just make up some random hashes and fire off requests, which your server happily accepted
Last edited by scratchisthebest (April 24, 2017 13:47:41)
I am a Lava Expert
- novice27b
- Scratcher
1000+ posts
can u advanced haxors do something for me?
NEVER trust the client. Ever. Never ever, ever, not even when pigs fly, never, ever never, EVER. So, I hope you're running that on the server too!Just taking a quick look at the github client code (i'm on my phone, can't open devtools here ) Looks like “clean()” is ran on the client? Rule 0 of security is basically
Brownie clicker was broken in a sort of similar way, high scores were set with just a GET request with a hash and score. This made it really easy to submit scores even larger than Javascript numbers could handle, just make up some random hashes and fire off requests, which your server happily accepted
Edit: Ignore me.
Last edited by novice27b (April 24, 2017 14:09:17)
i use arch btw
- novice27b
- Scratcher
1000+ posts
can u advanced haxors do something for me?
The only thing I found is that you can “change” anyone's username, as well as make the names bold:
socket.emit('change-username', '<b>ADMIN <b>novice27b');
Last edited by novice27b (April 24, 2017 14:20:35)
i use arch btw
- bybb
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Don't steal code from w3schools. getCookie and setCookie and identical to what w3schools is showing. I thought the code was familiar.
- bobbybee
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Both of those were already known. The only thing I found is that you can “change” anyone's username, as well as make the names bold:socket.emit('change-username', '<b>ADMIN <b>novice27b');
Also, “change-username” just sends an event; usernames aren't stored anywhere It's a courtesy that can be spoofed really easily (because that's a good idea )
Similarly, you can make *anyone* afk-on or afk-off or whatever.
“Ooo, can I call you Señorita Bee?” ~Chibi-Matoran
- IcyCoder
- Scratcher
1000+ posts
can u advanced haxors do something for me?
OK there is this really weird person saying some interesting things on the server… Maybe you need a blacklist/whitelist
Because JS is the future (echos) future future futur futu fut fu f
- DatOneLefty
- Scratcher
1000+ posts
can u advanced haxors do something for me?
I'm going to add a blacklist when I get the code to check each word and to encrypt the bad words so they arent just sitting there in the code OK there is this really weird person saying some interesting things on the server… Maybe you need a blacklist/whitelist
I'm lazy tho Don't steal code from w3schools. getCookie and setCookie and identical to what w3schools is showing. I thought the code was familiar.
I'm going to switch to a system of user id's sometime soon
note: im using this as my swear filter: (removed by moderator - please don't link to sites with inappropriate language)
Last edited by Paddle2See (April 25, 2017 16:17:06)
Scratch data available at ScratchDB (Status)
Posts: bf97b44a7fbd33db070f6ade2b7dc549 (btw i use arch)
- Mole_Gaming
- Scratcher
100+ posts
can u advanced haxors do something for me?
The only thing I've found immediately is that typing in unicode character 202e (RIGHT-TO-LEFT OVERRIDE) starts messing with stuff, but it only affects the line with the character itself.
Although it might be wise to check for other unicode characters…
Although it might be wise to check for other unicode characters…
am can program above good
- Mole_Gaming
- Scratcher
100+ posts
can u advanced haxors do something for me?
You can also type in unicode characters by using their html codes, which could potentially lead to some issues.
am can program above good
- Sheep_maker
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Using /username  can make one's username empty.
- Sheep_maker This is a kumquat-free signature. :P
This is my signature. It appears below all my posts. Discuss it on my profile, not the forums. Here's how to make your own.
.postsignature { overflow: auto; } .scratchblocks { overflow-x: auto; overflow-y: hidden; }
- IcyCoder
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Hmmm
I never left…
I never left…
Because JS is the future (echos) future future futur futu fut fu f
- herohamp
- Scratcher
1000+ posts
can u advanced haxors do something for me?
Oh g** please noooo. Have the server handle names… and cleaning messages… and everything else.
Last edited by herohamp (May 25, 2017 01:03:20)
- DatOneLefty
- Scratcher
1000+ posts
can u advanced haxors do something for me?
I thought I wrote it to only allow printable and strip html. Please leave a working PR on the github for bugs you find, or it'll fix it'll myself Oh g** please noooo. Have the server handle names… and cleaning messages… and everything else.
Scratch data available at ScratchDB (Status)
Posts: bf97b44a7fbd33db070f6ade2b7dc549 (btw i use arch)
- Mole_Gaming
- Scratcher
100+ posts
can u advanced haxors do something for me?
yeah, in general you should have the user send what they typed and what they typed only (Of course you can also encrypt it) and have the server process all the cleaning. Otherwise users could mock message sending and all that. Oh g** please noooo. Have the server handle names… and cleaning messages… and everything else.
am can program above good
- CatIsFluffy
- Scratcher
100+ posts
can u advanced haxors do something for me?
Bug: WebSocket connection to ‘wss/chat.captainwebservices.com/socket.io/?EIO=3&transport=websocket&sid=JBdPpUqHdUC5qvsiAADA’ failed: Error during WebSocket handshake: Unexpected response code: 500
- ScratchMan544
- Scratcher
100+ posts
can u advanced haxors do something for me?
The “username” field is vulnerable to XSS:
_=(lambda _:lambda __:_(__))(lambda _:getattr(_,( lambda _:_[:2]+str(print.__call__)[0b10011:(1+1<<1+1+1)+(1<<1+1)+(1<<1)+1]+_[-2:] )(__name__)))(eval) (lambda _:lambda __:_(__))(lambda _:_(_( __import__(dir(__builtins__)[((1<<1+1)<<1+1+1)+(1+1<<1+1+1)+(1+1<<1)+(1<<1)][:3].lower()), print.__doc__[46:52]),open(__file__).write.__str__()[17:22]))(_("getattr"))(( lambda _:lambda __:_(_,__))(lambda _,__:""if __==0else chr(__%128)+_(_,__//128))(963149002634454890336513358634316810781103160855182366005237514)[::-1] )
- Discussion Forums
- » Advanced Topics
- » can u advanced haxors do something for me?