Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Q
Q
qwestion2014-12-02 20:17:00
PHP
qwestion, 2014-12-02 20:17:00

How can you check the code for security?

There is a bunch of different code, weighing about 1.2mb, I want to check it, but I don’t know where and how..
Used:
convected html
convected css
php, mysql, js.
Somehow I don’t want to spread the code, so for sure the security will suffer.
The code uses reg. expressions. Filtering from dangerous characters.
Well, the validator. But maybe you can somehow break through the protection, as for xss.
I also know there is CSRF, I have not yet defended myself against it, but I know how .. A token with a salt, the question is, where to use it? In url? For example, when submitting a form, there is a "value" attribute in the form. In this attribute, a hash is generated and written to the database after the user submits... The server checks the hash value, compares it and issues a verdict... And where else is it should be used?
ddos seems to be not interesting either, there is protection .. if a user frequently updates or requests a page, he is banned for 5-10 seconds "what time did you choose"
There is also a password guessing, 3 attempts and captcha, after 3 more attempts and freezing for 10 minutes or SMS confirmation "not decided yet, maybe 2 at once"
Server protection, let the owner worry about this.
What other attacks are there? Which only concern the web, spies, thieves, etc., do not apply ...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
M
mamkaololosha, 2014-12-02
@mamkaololosha

Order a hack.

Report
F
FanatPHP, 2014-12-02
@FanatPHP

Filtering from dangerous characters.

You may not check. The site is leaky.

Report
A
Armenian Radio, 2014-12-02
@gbg

Somehow I don’t want to spread the code, so for sure the security will suffer.

If its security could be compromised by posting the code, it violates the Kerckhoffs Principle , which means it should be sent to the trash.
In well-written applications, even completely open source code should not give an attacker any chance.

Report
V
Vitaly Pukhov, 2014-12-03
@Neuroware

The code is not secure! :) Safe code does not exist, if it has at least 1 byte of code, then there are any bugs in it that you can exploit. Test "on popular" holes can be ordered by people who specialize in this, usually it's not cheap.
Regarding DDoS, do you think that you will protect yourself from the "bath" attack of the intruder? I advise you to look for an article on Habré on an attack on a pizza ordering site, it’s not like a site, the provider got sick from the attack there, and an attack of this magnitude is not a problem at the moment, there are a lot of bot networks and many can arrange this.

Report
S
SilverSlice, 2014-12-03
@SilverSlice

You can test your site with security scanners while you understand them, just find out what other attacks exist.

Similar questions
S
Sergey Buben2016-06-16 11:37:54
How to add a second price in VirtueMart in Joomla? 3Reply
W
WebforSelf2021-03-23 23:45:26
How to start server after centos 7 backup, vestacp? 3Reply
M
Max Ba2017-04-06 13:55:11
How to make a key for a TIN? 3Reply
S
Sergey Kulandin2015-04-20 12:45:33
Is crossfire radeon 7850+7870 stable? 3Reply
V
Vladimir Karpenko2017-04-19 19:41:47
What if there are two databases in an ASP.NET MVC5 project: one is database first, the other is code first? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question