Index Ongoing Releases Open issues

Enhancement A-Z Ongoing

Harden Topincs

Issue description

Make hacking Topincs so hard, that it is not worth the effort!

Developer comments

Sophisticated scan with more than 100.000 requests on several public or study systems happened on 13th and 14th of March 2024. It showed considerable effort, thinking and adjusting and was performed by unknown party. Did not produce any big insights, but helped to mitigate some problems where bad requests caused a server exception instead of being rejected properly. See [12871, this issue] for more information.

Reporting date

2014-08-03

Reported by

Robert Cerny

Planned for version

Topincs Psi Ψ

Has sub issue31

Untie form from topics/.search (Change)

Untie registration from .detect-value(Change)

Secure login(Enhancement)

Restrict type access in topics/.all(Change)

CSRF protection(Enhancement)

Get rid of server side eval(Change)

Restrictions in service programming(Change)

Prevent SQL Injection and switch to prepared SQL statements(Change)

Get rid of client side eval(Change)

Consider while(1) trick(Change)

Refactor database access(Change)

XSS protection(Enhancement)

Harden against web shells(Enhancement)

Harden against remote file inclusion(Enhancement)

Malicious user: defend against bumping an account into admin group(Change)

Access to individual items for admin only(Change)

Restrictions to non-public Topincs API(Change)

Stricter access control in package saving(Change)

Store specific temp dir(Change)

Disable functions(Change)

Consider suhosin/Snuffleupagus(Enhancement)

Validation of service parameters of datatype string(Change)

Harden against malicious admin(Enhancement)

Security checking views(Enhancement)

Constraints should not expose group ids(Change)

Harden against malicous user(Enhancement)

Harden against malicious anonymous(Enhancement)

Prevent brute-force password guessing(Enhancement)

Harden content security policy(Enhancement)

Harden .context-menu(Enhancement)

Null bytes in username(Change)

Work sessions24

4982

4983

4984

4985

4986

4987

4988

4989

4990

4991

4992

4994

4995

4996

4997

4998

5000

5001

5002

5003

5004

5005

5009

5014

Helpful webpages18

serverfault.com/…04/is-this-a-hack-attempt

code.google.com/p/skipfish/

code.google.com/p/browsersec/wiki/Main

stackoverflow.com/…event-xss-with-html-php

www.owasp.org/…hp/PHP_Security_Cheat_Sheet

github.com/sqlmapproject/sqlmap/wiki

www.binarytides.com/…map-hacking-tutorial/

phpsecurity.readthedocs.org/…st/index.html

hackertarget.com/

www.metasploit.com/

www.creativebloq.com/…ct-your-site-7122853

www.owasp.org/…SP_Zed_Attack_Proxy_Project

www.cyberciti.biz/…practices-tutorial.html

stackoverflow.com/…ysql-real-escape-string

www.primalsecurity.net/…g-with-burp-suite/

comparite.ch/sqlmapcs

cheatsheetseries.owasp.org/

book.hacktricks.xyz/

We are sorry

This page cannot be displayed in your browser. Use Firefox, Opera, Safari, or Chrome instead.

Saving …

Before we continue …

Sort

No internet connection

Refreshed unknown