so i am working on a project "detecting compromised nodes in flying ad-hoc network", for this purpose i am trying to implement a malicious node which perform a Sybil attack , so is there any idea about how to implement this attack ! thank you
Related
i have to write a report based on an a simple SQL injection attack. In this report i have to provide screenshots of my "walkthrough" so i cannot use pictures of other tutorials on the web. Now my question is: can anybody tell me the names of some websites vulnerable to SQL injection attack on which i can test my attack legally? Thanks to Google dorks i have already found some vulnerable websites, but i think that running the attack over them is illegal. I want to avoid the setting up of a personal website for this purpose, but if there are no other solutions i need an help also in setting up this kind of site.
There is a web application called DVWA (Damn Vulnerable Web Application), it's not hosted on the internet. you have to download it and run as localhost on your computer. However it has a range of vulnerabilities, i have used it in the past for trying out a brute force attack. As its localhost its legal. it should be ideal for a walk through tutorial. I know you said that you didn't want to setup your own website, but the setup is a few minutes. Hope this Helps :D
Link: http://www.dvwa.co.uk/
I'm implementing a game app based on cocos2d-x. In order to technically prevent cheating, one of the ideas to do is using HTTPS for all the client-server communication, which make it difficult to get the data format / game logic and send modified request to cheat. (I know "prevent" is actually impossible but for increasing the cost of making game cheating it's ok : ). My question is,
In Cocos2d-x, how to make HTTPS request? Possible?
In a more general case, technically what to do to reduce such game hacking? What strategy to hold?
For native cross platform C++ networking you may consider using Boost C++ libraries. Boost.Asio is the one used for networking.
Boost.Asio link:
http://www.boost.org/doc/libs/1_53_0/doc/html/boost_asio.html
Boost.Asio tutorials link: http://www.boost.org/doc/libs/1_53_0/doc/html/boost_asio/tutorial.html
Although not officially supported (only due to lack of regression testing on iOS and Android), Boost runs without any problems on iOS and Android (and probably other C++ based mobile platforms as well).
To prevent cheating you usually rely on an external source (which can be your game server) e.g. if your game relies on the time of day you may get the time form an external server. You may use encryption libraries for data transfer on the client and server side.
by using curl library you can make https connection.
if you want technically protect your game use you own strong encryption technique.
Thanks
Hi this is a problem we face all the time. If the cheating is limited to the cheater's instance the questions is academical and should be studied on your spare time.
On the other hand when your income is impacted or when the cheater's actions impact other players and degrade the game experience you should put some effort on testing the game state for inconsistencies, secure the client/server transactions and deal with cheating in very subtle ways to avoid completely deterring the cheaters' interest.
C++ https implementations are available with curl and boost.
Concerning the game data, the simplest way to test for inconsistencies are scores. You can add a few indicators to avoid polluting your leaderboards. You can add special checksums based on the score's components (time spent in game, number of power ups and score multipliers received...) if you can recalculate the score on the server and if inconsistencies are discovered you can deal with it.
Also you can grab instants of the game state and a few commands, encode that and replay the sequences on the server to check for inconsistencies. Deal with cheaters however you like.
When playing on a server let the server manage the gamestate and allow no client side game state changes that would impact players. Check for input consistency etc...
When using micro transactions each micro transaction should be verified with the vendors servers before being fully committed to the player's account.
Even if these papers 1, 2 from valve refer to fps games they should give you some pointers as to how to deal with state inconsistencies (introduced by communication delays). It should help in avoiding fake positives and ruining the experience for non cheaters.
I consider myself to be quite a good programmer but I know very little about sever administration. I'm sorry if these questions are noobish but I would really appreciate some advice or links on steps I can take to make this more secure.
I've completed a project for a client that involves storing some very sensitive information, ie personal details of big donors. From a programming perspective it's protected using user authentication.
I don't mind spending some money if it means the info will be more secure, what other steps should I take?
Can the database be encrypted some how so that even if the server is compromised people can't just dump the mysqldb and have everything?
Is it worth purchasing an ssl certificate?
The site is currently hosted on a personal hosting plan with a reasonably trustworthy host. Would a virtual private server be more secure? Are there special hosts I can use that take additional steps to protect info (ie would it be more secure on amazon s3)?
As a side note to the specific question, I would recommend reading some books on computer/programming security. Some good ones are 19 Deadly Sins of Software Security and Writing Solid Code.
You don’t need to encrypt the database itself, just encrypt the data before storing it. (Make sure to use real, cryptographically-secure algorithms instead of making one up yourself.)
Using SSL is definitely an important step if you want to avoid MITM attacks or snooping. A certificate allows you to use SSL without having to take extra steps like installing a self-signed one on each of the client systems (not to mention other benefits like revocation of compromised certs and such).
It depends on just how sensitive the information is and how bad leakage would be. You may want to read some reviews of hosts to get an idea of how good the host is. (If possible, sort the reviews ascending by rating and look at the bad reviews to see if they are objective problems that could apply to you and/or have to do with security, or if they are just incidental or specific issues to that reviewer.) As for the “cloud”, you would kind of be taking a chance since real-world security and privacy of it has yet to be determined. Obviously, if you do go with it, you’ll want a notable, trustworthy host like Amazon or Microsoft since they have benefits like accountability and work constantly and quickly to fix any problems.
HTH
This may sound like a weird question but is there any where I can download a website that is vulnerable to sql injection the url kind not login bypass?
I'm making a vulnerability scanner and I want to learn some SQLi so i can include it in my project.
Thanks, it doesn't need to be fancy. Just enough to practice on.
OWASP WebGoat is the usual example. Includes SQL injection vulnerabilities.
No, you cannot download their site to test for injection vulnerabilities. You need to download their whole DB and configs to do what you are saying. If you want to benevolently go checking the security of various sites, you have to ask them about their system and model it on your own. OWASP works on systems not recently updated with patches, like the comment of tackline-its a first port.
OWAPS's WebGoat is an application that is built to be vulnerable to attack, it is a simulation of real world vulnerabilities. The Whitebox is a collection of real world vulnerabilities, it has 2 web applications that where abandoned because the applications where so insecure. It also has a set of challenges there are vulnerable code snips taken from real world applications. This project has real world sql injection as well more serious vulnerabilities.
Try scanning the vulnerable apps with Wapiti (open source) or Acunetix ($) or NTOSpider($$$). Then try using the applications, create blog posts ect, and then scan it again.
Also check out Damn Vulnerable Linux and Google Jarlsburg.
I am planning to get my website development outsourced to a third party developer. Need your help in deciding on how/ what technology to be used to make it very secure. Since I am not a techie I need the website developed in a way, so that it is easy for me to maintain it and modify content easily if required.
The main purpose of the website is to provide company information about services offered and then also to exchange documents and other file using FTP server. Will be sending out surevey and newletters sometime
Looking for your advice to guide me to the right direction
As I already said on another answer, security is not a product, it's a process.
There isn't a 'secure' software or language. What makes your website/application secure is how it is developed and how the website is maintained.
There is no ready-made solution that, one time or another, won't be hacked.
If the people you are outsourcing to don't understand this, outsource to someone else.
Making your web server "hardened" against attack is best left to the expert sys-admins at Server Fault. However regardless of what technology you use, there is one HUGE thing an end user can do to protect her/his online assets:
USE STRONG PASSWORDS
You can make a site secure using any technology/language/framework.
It's the code quality that makes a site insecure, not the technology/language/framework.
There is no single "correct" language to use -- it's possible to write an insecure website in any language.
The key is hiring staff that have the skill and experience in developing secure web solutions, and also making sure that the system is tested often by external specialists