disease's profile @disease

warning!

From the tests i have done, there are many vulnerabilities on this website, there are also a lot of bugs. Example: when posting something, if you spam click `post` it will create a post for every time you click the button, there should be an implementation to limit the time between posts and to make the button a one time click. (THIS BUG MAKES THE SITE LAG!). its also a pain to delete all of the posts if you accidentally do so as the site refreshes but will still lag and there is a small chance that the post will not be deleted. There is also a password vulnerability… maybe don’t have the user’s passwords get stored as a plain document.

THERE ARE VULNERABILITIES IN THE REPO!; Yes, even tho the repo is the legacy site and isn’t used anymore it is still good to state the vulnerabilities on the repo as people might use the template to make their own site like this and wont know of the vulnerabilities in the code:

List of the vulnerabilities on the repo: SQL Injection, Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), Lack of Input Validation, Insecure, Outdated Dependencies, Lack of Error Handling, Insecure Session Managemen, Storage of Sensitive Data(user and password information: Insecure Password Storage, Weak Password Hashing, Lack of Password Salting, Insecure Password Verification, Missing Password Complexity Requirements, insecure Password Reset Token Generation, insecure Password Storage in Sessions), Lack of Secure Communication… sry <3

Aug 16, 2024, 2:18 PM
6 7 24

comments (single view)

View parent
jeffalo's profile @jeffalo Aug 17, 2024, 10:25 AM

  • Storage of Sensitive Data(user and password information: Insecure Password Storage

    • wasteof has never stored passwords, and only the minimum amount of user information is ever stored. the most sensitive thing stored is email adderesses and that;’s optional too.

  • Weak Password Hashing

    • bcrypt is not weak

  • Lack of Password Salting

    • bcrypt is salted by design

  • Insecure Password Verification

    • how? timing attacks?

  • Missing Password Complexity Requirements

    • we let users decide how they want to secure their accounts. you can even have no password if you wish. this isn’t a vulnerability.

  • insecure Password Reset Token Generation

    • in the current codebase they’re cryptographically secure. in the old codebase there aren’t even password reset tokens.

  • insecure Password Storage in Sessions)

    • wasteof doesn’t store passwords in sessions

  • Lack of Secure Communication

    • ?

jeffalo's profile @jeffalo Aug 17, 2024, 10:32 AM

this kind of post serves no purpose other than to spread misinformation and fear. if you find real security issues, report them using my contact details on the /security.txt page rather than sharing them publicly. this whole post is wrong on so many levels that you’re really just making real security work look bad…

starlight's profile @starlight Aug 20, 2024, 9:37 PM

good to know! /gen

View all comments