Please break me - eCommerce site assignment

[Deleted member 66701]

Getting near the end of my next uni assignment - an eCommerce site created from scratch with mysql and PHP.

Website is @ http://testing.frontierwebdesign.co.uk/

As always, grateful for any comments, suggestions or bug notifications - especially in the shop area and checkout process (don't worry - it doesn't ask for any payment details, we're just "pretending" ). I've tested it as well as I can but you know what it's like - you don't always "see" what other people see - you see what you "think" you done, not what you've actually done.

Is anyone good at SQL injection? If so, feel feel to have a go at the site - but if you do break it, please let me know what you did!

Many thanks in advance.

 

[PaulM]

I don't have time to break it properly, but it looks like you've vulnerable to SQL injection almost everywhere. Put a single quote in any of your input fields and it'll display a warning which is always a bad sign:

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /var/sites/t/testing.frontierwebdesign.co.uk/public_html/mng_user.php on line 279

Same with the URL parameters:

http://testing.frontierwebdesign.co.uk/product.php?MainCat=snowboard&SubCat=women&id=1' or '1=1

Never trust user input, ideally always use prepared statements / parameterized queries.

 

[Deleted member 66701]

I don't have time to break it properly, but it looks like you've vulnerable to SQL injection almost everywhere. Put a single quote in any of your input fields and it'll display a warning which is always a bad sign:

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /var/sites/t/testing.frontierwebdesign.co.uk/public_html/mng_user.php on line 279

Same with the URL parameters:

http://testing.frontierwebdesign.co.uk/product.php?MainCat=snowboard&SubCat=women&id=1' or '1=1

Never trust user input, always ideally use prepared statements / parameterized queries.

Yeah - I thought as much - we're just doing procedural stuff atm. The only sql injection protection stuff we've covered is MYSQLI_ESCAPE_STRING

Are prepared statements and parametrised queries object orientated?

 

[PaulM]

There are procedural style functions in the mysqli extension for prepared statements:

http://php.net/manual/en/mysqli.prepare.php (see: Procedural style example)

If you don't want to use prepared statements at the very least should be using mysqli_real_escape_string on all user input.

 

[suarve]

FATAL ERROR: ALLOWED MEMORY SIZE OF 134217728 BYTES EXHAUSTED (TRIED TO ALLOCATE 32 BYTES) IN /VAR/SITES/T/TESTING.FRONTIERWEBDESIGN.CO.UK/PUBLIC_HTML/MNG_CART.PHP ON LINE 67

Muwahaha

One, turn of error reporting. Two, validate the number of items a user adds to their basket. I can also post request externally to http://testing.frontierwebdesign.co.uk/mng_cart.php?rand=5613291.

http://testing.frontierwebdesign.co.uk/password.php not working, http://testing.frontierwebdesign.co.uk/myaccount.php change password not working, http://testing.frontierwebdesign.co.uk/myaccount.php cannot delete additional delivery addresses,

Your meta titles are the same for every page of the site - a pretty big omission for an ecommerce site

Always worth having a checkout through websites as a user

 

[Deleted member 66701]

Muwahaha

One, turn of error reporting.

What do you mean?

Two, validate the number of items a user adds to their basket.

I do.

I can also post request externally to http://testing.frontierwebdesign.co.uk/mng_cart.php?rand=5613291.

I don't know what you mean

http://testing.frontierwebdesign.co.uk/password.php not working, http://testing.frontierwebdesign.co.uk/myaccount.php change password not working,

Yup - they don't need to, not part of the assignment brief - they are just place holders.

http://testing.frontierwebdesign.co.uk/myaccount.php cannot delete additional delivery addresses,

Yeah, I've disabled delete permissions for the db user on this "test" site - just in case someone actually managed to inject some sql and delete all my products! It works on the "live" site.

Your meta titles are the same for every page of the site - a pretty big omission for an ecommerce site

Thanks for the heads up.

Always worth having a checkout through websites as a user

Oh trust me, I've been through it loads Always nice to have a fresh pair of eyes though.


Thanks for taking the time to look at it

 

[rexehuk]

XSS vulnerabilities.

http://testing.frontierwebdesign.co.uk/contact.php?query=<script>alert('666')</script)

I kind of don't want to go full on, but I reckon an LFI/RFI is possible maybe if you poke around enough.

Go and download a tool, and you can mess around with your site! https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

W3AF is cool, need to run on a linux box though, and will give you an "indication" of potential holes, but by no means a confirmation.

 

[Azza]

The boards don't land in the middle when scrolling through the homepage on my mobe.

 

[Deleted member 66701]

The boards don't land in the middle when scrolling through the homepage on my mobe.

What mobile please.

 

[Azza]

Note 4.


Another thing I've noticed on my phone, when you drop down the nav bar it doesn't fill the width of the page and it looks more grey than black. Havent looked at it on my PC so it may supposed to be that way.

 

[Deleted member 66701]

Note 4.


Another thing I've noticed on my phone, when you drop down the nav bar it doesn't fill the width of the page and it looks more grey than black. Havent looked at it on my PC so it may supposed to be that way.

It's not supposed to be full width and yes it's meant to be gray.

Thanks for taking the time to look

 

[Deleted member 66701]

FYI - just got my marks for this assignment - 100%!

Overall for the Dynamic Web Development (procedural) module I got 99% (dropped a couple of marks in the final evaluation assignment).

Thanks for everyone's help.