EPTMafiaTools - Page 2
| Forum Index > TL Mafia |
|
kushm4sta
United States8878 Posts
| ||
|
Xatalos
Finland9675 Posts
On August 28 2014 06:01 kushm4sta wrote: i dont have a mac Why did you talk about Mac stuff then? >.> | ||
|
kushm4sta
United States8878 Posts
| ||
|
Xatalos
Finland9675 Posts
| ||
|
Xatalos
Finland9675 Posts
| ||
|
Xatalos
Finland9675 Posts
| ||
|
gonzaw
Uruguay4911 Posts
Suggestion (it's just small tiny stuff) When you edit stuff about a player, the "points" thing is a <textarea>. Change it to <input type="text">, or better yet to the new HTML5 stuff like this: <input name="points" placeholder="Points" type="number" min="0"></input> That way you get a better input box to put it (if you use "number" you even some mini buttons to increase it). EDIT: 2)When you go back to the "Games" menu, or stuff like that, you need to redirect. For instance, I try to access the next URL to delete a game (by pressing the "Delete" button for instance): http://t-teesalmi.users.cs.helsinki.fi/MafiaTools/DeleteGame?id=29 However, after the game is deleted, I go back to the "Games" menu, yet the URL is exactly the same (it says "DeleteGame?id=29"). That means that when I hit Refresh, it goes back to that same URL. I.e it tries to delete the game I already deleted, which shows this nice little fella: java.lang.NullPointerException Servlets.DeleteGameServlet.processRequest(DeleteGameServlet.java:53) Servlets.DeleteGameServlet.doGet(DeleteGameServlet.java:89) javax.servlet.http.HttpServlet.service(HttpServlet.java:617) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) Use "Redirect" instead of "Forward". I don't remember what you were using, but if you are using servlets and tomcat or stuff, then you did something like this: request.getRequestDispatcher("games.jsp").forward(request,response); I think you can use "response.sendRedirect(URL)" or "request.getRequestDispatcher(URL).forward(request,response)", where URL would be the servlet action (maybe "/Games"?) Here's more info: http://en.wikipedia.org/wiki/Post/Redirect/Get 3)I tried testing some security stuff. Didn't see entrances for SQL injection, which is good (at least when creating things) 4)You are vulnerable to CSRF requests: http://en.wikipedia.org/wiki/Cross-site_request_forgery For example, you have this URL here: http://t-teesalmi.users.cs.helsinki.fi/MafiaTools/DeleteGame?id=2 Now, if I inadvertently press that link, nothing happens since I don't own a game with id 2 (and it even shows me a nifty "Stop hacking the database!" tag :D ). But imagine that the player that DOES own the game with id 2 clicks that link. It will automatically delete his own game, even when he didn't want to (he just randomly clicked a link). I could make it more obtrusive than that, for instance by doing something like this: Free titties! Click Now! Now your user clicks there thinking of free titties, but inadvertently deletes his game (check the actual URL). 5)It's protected against XSS attacks, good. | ||
|
Xatalos
Finland9675 Posts
| ||
|
Xatalos
Finland9675 Posts
2) Done. 3) Nice to know. 4) How to prevent this? Seems like kind of a niche / not so dangerous thing though  You'd require the user to be logged in on his account + knowledge of which id numbers his created games have + lure him to click a link that points to one of those id numbers. I have difficulty imagining anyone pulling all that off...5) Nice to know. Thanks for the more technical suggestions  | ||
|
gonzaw
Uruguay4911 Posts
On August 29 2014 04:39 Xatalos wrote: 4) How to prevent this? Seems like kind of a niche / not so dangerous thing though You'd require the user to be logged in on his account + knowledge of which id numbers his created games have + lure him to click a link that points to one of those id numbers. I have difficulty imagining anyone pulling all that off...You just need to add random numbers, like adding links with numbers from 1 up to 100, and you can just wait for somebody to open them up. With today's browser navigation, you can always expect someone to be already logged in, unless you make user's session expire (say, after 10 minutes of no interaction with the web site or something). Yeah, doubt you'll get anything if you post it as a link in this forum. But there are other ways to do so. Easy one: Send every player from TL Mafia an email with this message body: <img src="http://t-teesalmi.users.cs.helsinki.fi/MafiaTools/DeleteGame?id=2" width="1" height="1" border="0"> Surely all players will regularly check their email. Once the dude that owns game with id "2" reads the email, the browser automatically sends a request to that URL, deleting his game. The user doesnt' even have to press a link. I mean...if someone wants to fuck up you website he WILL do it. Hackers are resourceful little whippersnappers like that. I guess it's not that important for this "toy" proyect, but it's a good lesson when you make bigger stuff. I mean, you don't want to find out that ALL the games from your website were deleted with such an attack, just because there was a bored dude that checked that site out and wanted to fuck it up. To prevent it, check the "Prevention" section in the wikipedia article. It's easier if you use a framework that does that automatically for you. If not the easiest is to add that "authentication hidden field" to the form, and send it with the request. Then check it in the server, and if it matches the one that's on the server you delete the game, if not you don't. Basically, it's like this: User goes to page "Games", you generate a random value XXYY and send it in the page in a hidden field User presses button "Delete Game", sending, in the form (or cookies, or even the URL as another parameter), the value XXYY In the server, you check that the value you get from the request is the same as the one you got (XXYY). If it's the same, you delete the game, if not you send an error. Now if you just randomly arrive at that link from another place (like the email above), you won't send the correct value token (that gets generated ONLY when you go to the "My Games" page), so you'll never be able to mistakenly delete your own games. | ||
|
Xatalos
Finland9675 Posts
On August 29 2014 23:21 gonzaw wrote: You just need to add random numbers, like adding links with numbers from 1 up to 100, and you can just wait for somebody to open them up. With today's browser navigation, you can always expect someone to be already logged in, unless you make user's session expire (say, after 10 minutes of no interaction with the web site or something). Yeah, doubt you'll get anything if you post it as a link in this forum. But there are other ways to do so. Easy one: Send every player from TL Mafia an email with this message body: Surely all players will regularly check their email. Once the dude that owns game with id "2" reads the email, the browser automatically sends a request to that URL, deleting his game. The user doesnt' even have to press a link. I mean...if someone wants to fuck up you website he WILL do it. Hackers are resourceful little whippersnappers like that. I guess it's not that important for this "toy" proyect, but it's a good lesson when you make bigger stuff. I mean, you don't want to find out that ALL the games from your website were deleted with such an attack, just because there was a bored dude that checked that site out and wanted to fuck it up. To prevent it, check the "Prevention" section in the wikipedia article. It's easier if you use a framework that does that automatically for you. If not the easiest is to add that "authentication hidden field" to the form, and send it with the request. Then check it in the server, and if it matches the one that's on the server you delete the game, if not you don't. Basically, it's like this: User goes to page "Games", you generate a random value XXYY and send it in the page in a hidden field User presses button "Delete Game", sending, in the form (or cookies, or even the URL as another parameter), the value XXYY In the server, you check that the value you get from the request is the same as the one you got (XXYY). If it's the same, you delete the game, if not you send an error. Now if you just randomly arrive at that link from another place (like the email above), you won't send the correct value token (that gets generated ONLY when you go to the "My Games" page), so you'll never be able to mistakenly delete your own games. I guess it's impossible to make my website 100% secure with my current knowledge (if it's even possible for any website since even government/bank websites are hacked into). I'm satisfied if it's hard enough to hack that it can't be just done on any random moment of boredom I'll look into your suggestion. | ||
|
gonzaw
Uruguay4911 Posts
Here are some suggestions which might be easy to do and could improve it, at least aesthetically: In the "Game" page, have a little reference that says something like this: "0 points = Confirmed Scum 1-2 points = Very scummy 3 points = Scummy 4 points = Leaning scum 5 points = Null 6 points = Leaning town 7 points = Townie 8-9 points = Super townie 10 points = Confirmed Town" Now what you do, is add a little text next to each "score". Whenever a user changes the score of someone else to, say, 7 points, put the "Townie" text next to it, and paint both "Townie" and "7" green. If he changes it to 2, then change the text to "Very scummy" and change both of them to red. You can have variant shades of red, green, and grey, depending on the points that player has. It's relatively easy to do (you don't have to change the database, add new pages, etc), but it can increase the usability. Because if not, users will just be looking at a huge blob of numbers and players and won't really understand what's going on, or won't really "feel" their reads coming through this point system. But a simple color system can catch a user's eye more quickly and be more pleasant to the eye | ||
|
Xatalos
Finland9675 Posts
On August 30 2014 09:54 gonzaw wrote: Yeah no problem. Surely you can add more and better stuff to your website instead of wasting time on this. Just keep it in mind if this ever gets big Here are some suggestions which might be easy to do and could improve it, at least aesthetically: In the "Game" page, have a little reference that says something like this: "0 points = Confirmed Scum 1-2 points = Very scummy 3 points = Scummy 4 points = Leaning scum 5 points = Null 6 points = Leaning town 7 points = Townie 8-9 points = Super townie 10 points = Confirmed Town" Now what you do, is add a little text next to each "score". Whenever a user changes the score of someone else to, say, 7 points, put the "Townie" text next to it, and paint both "Townie" and "7" green. If he changes it to 2, then change the text to "Very scummy" and change both of them to red. You can have variant shades of red, green, and grey, depending on the points that player has. It's relatively easy to do (you don't have to change the database, add new pages, etc), but it can increase the usability. Because if not, users will just be looking at a huge blob of numbers and players and won't really understand what's going on, or won't really "feel" their reads coming through this point system. But a simple color system can catch a user's eye more quickly and be more pleasant to the eye That's an idea worth considering. However, there's one problem with that: I wouldn't want to limit the usage of the points too much? Different users might want to use the points differently. Well, maybe that would just be more simple, so much so that it would outweigh the disadvantages of losing customization... | ||
|
Xatalos
Finland9675 Posts
| ||
The_Templar
your Country52797 Posts
The usernames I have tried are: The_Templar TehTemplar The Templar Lord Molyb Lord Molybdenum GalacticShovel TemporaryWorker TemplarTemp | ||
|
Blazinghand
United States25552 Posts
| ||
|
The_Templar
your Country52797 Posts
On September 04 2014 05:09 Blazinghand wrote: oh, sorry, I made a bunch of accounts on it with those names Seems legit. | ||
|
Xatalos
Finland9675 Posts
On September 04 2014 04:53 The_Templar wrote: Hey. I'm trying to register on mafiatools but it's telling me every username I type is already taken. This includes The_Templar, TehTemplar, and The Templar, among other IDs I go by on other forums. There is no way these are all taken. (Some of my usernames also involve random-looking letters or obscure words) The usernames I have tried are: The_Templar TehTemplar The Templar Lord Molyb Lord Molybdenum GalacticShovel TemporaryWorker TemplarTemp Are you sure you're not confusing the alert messages with each other? If it says "The username 'The_Templar' is already in use!" then it's already taken, but if it says something like "User 'testa' has been registered!" then it was successful. Did you try to log in on those accounts? I think you might have just created a bunch of accounts | ||
|
Xatalos
Finland9675 Posts
| ||
|
Xatalos
Finland9675 Posts
| ||
| ||
