Pen testing?
Results 1 to 4 of 4

Thread: Pen testing?

  1. #1
    Member
    Join Date
    Nov 2005
    Posts
    43

    Pen testing?

    hi again all,

    before I go ahead I should state right now I'm no great shakes with web design/coding

    The office I do some part time IT work for wanted a page to allow people to register with them so with a little help from google and friends who are better at this stuff I set up a .php which saves everything to a database and seems to work well enough.

    So it works and should be fine against injection and overflows (so I'm told by someone who checked it for me) but I got to thinking. Anyone whos been around online forums have seen spambots register and post whatever crap.

    I added captcha (I think thats what its called) but my boss didnt want anything too complex to make it hard for people to register so I'm pretty sure OCR could pick it up.

    My worry is someone could try the same thing to just spam entries on the page which would either crash the server or leave the database full of useless information giving (most likely me) hours of work to filter through it.

    So before it actually goes public on the site I wanted to stress test it a bit. I dont actally have the skill to make something myself to do it and I checked around google but I'm not actually sure what I'm looking for. Someone mentioned xrumer but that doesnt seem to be it.

    Long story short I'm looking for something that would let me stress test the page. Free or otherwise it doesnt really matter since its probably worth investing into not losing my job there.

    Thanks in advance anyone with any ideas, even a generic term for the kind of thing I'm looking for would be great and I can search around from there.
    Did someone piss in the gene pool?

  2. #2
    Member
    Join Date
    Nov 2005
    Posts
    43
    Theres plenty of forum spambots used for advertising (like xrumer) which sign up by automatically entering information into .php pages.

    I'd buy that if it wasnt for the fact that it targets different forums and emails them (oddly enough if you google mine around you can find some webserver with xrumer files on it including a pretty big forum list) I'd buy it to test this.

    Surely there must be something out there that targets a single php page?
    Did someone piss in the gene pool?

  3. #3
    Instead if a CAPTCHA I use 2 extra fields to detect bot-behaviour.

    One is "email_again" with CSS display set to "none" -> if this is filled in it's likely to be a bot filling every form.

    The other is a timestamp. If the form is submitted within 10 seconds of being created or 30 minutes after being created, again it's likely to be a bot.

    If my form thinks it's a bot, it lets the user know and offers a phone number to call if it's really a human trying to contact them.

    Cheers,
    Niggles

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    1. Have you created this yourself or are you using proprietary software? If so, which one?

    2. What information do people have to enter to register?

    3. Is there a discussion board/forum that they can post to, where they can all see every post?

    Basically these bots are designed to attack bulletin boards and discussion forums and they are unlikely to be able to handle a custom format that is different from that supported by the proprietary software.

    They are not interested if there isn't a forum for all to see and contribute to.

    There are lots of ways of stopping bots, but they depend on your particular setup. Things like IP address blocks, forbidden words, access times, pre-moderation/validation and so on.

    Any idea of the number of members and amount of traffic that are expected?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. New Book Coming Out on Penetration Testing: Thoughts?
    By genXer in forum Product / Book / Training / Conference Reviews
    Replies: 1
    Last Post: December 9th, 2005, 05:51 PM
  2. Application Level Security Testing
    By Spiritus in forum Newbie Security Questions
    Replies: 5
    Last Post: January 13th, 2005, 08:08 AM
  3. Forum for pentration testing
    By mmkhan in forum Site Feedback/Questions/Suggestions
    Replies: 3
    Last Post: January 2nd, 2005, 01:08 AM
  4. Vulnerability Testing (from inside the network)
    By Aspman in forum Newbie Security Questions
    Replies: 9
    Last Post: December 21st, 2004, 12:15 PM
  5. Demystifying Penetration Testing
    By mmkhan in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: October 28th, 2004, 03:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides