Early beta release: Project Alpha Webpage

[Kulverstukas]

Merge fail, ignore this message :/

[ande]

Hello EZ!

Some of you may be familiar with project Alpha and some of you may not. So here are some explanations:Project AlphaProject Alpha is the code name for a project to re-design and re-code many of Evilzone's systems from scratch, such as the IRCd and the website.Project Alpha started as a design concept, very unlike this one, about one and a half year ago and have ever since evolved into something bigger and bigger.In addition to re-designing and re-coding we also wanted to add new features and services such as a webOS, web terminal, challenges, EvilShop, pastebin, exploitDB and much more. I wont go into details about those sub-projects right now. But they are also under development. Some more information can be found in the AWESOME STUFF page.


Introduction
This is an public early beta release. There have been several development versions for staff and VIP, but this is the first real public publication of the webpage.


Please keep in mind that this is a beta and is not complete. The only major part that is open to public that is not yet complete is the profile and all its systems (account settings, private messages, etc) (and sub-projects like the webOS).


Try it, break it, smash is and hack it. But please don't do any harm and report to me when you are done. Although I am pretty confident in the security part of the project.




http://alpha.evilzone.org/index.php?page=forum&sub=thread&thread=1




Oh and merry christmas! 

[Zesh]

Very sexy! Thanks for the gift



What's with the broken characters?

[Uriah]

Looks beautiful. Can we have the list of people who worked on this, so we can give thanks?

Really good job guys

[Stackprotector]

Very sexy! Thanks for the gift



What's with the broken characters?

That's because it's showing you raw binary output in ASCII thus giving you random ascii stuff.

[rasenove]

Really awesome work.
Its worth the wait.

[ande]

Very sexy! Thanks for the gift



What's with the broken characters?

Its supposed to be a joke/representation of an exploit doing some sort of overflow.

Looks beautiful. Can we have the list of people who worked on this, so we can give thanks?

Really good job guys

The website is mostly me.

[Fur]

Everything is so smooth and lovely. 10/10 would visit again.

Also, what's up with the client side hashing when logging in?

[ande]

Everything is so smooth and lovely. 10/10 would visit again.

Also, what's up with the client side hashing when logging in?

Not sure how to answer this. The client side hashing is done for obvious reasons: Not sending your password in plaintext to the server.

[Matriplex]

I visited this when you first posted about it yesterday and was extremely impressed. Very nice work ande.
I visited today, when I had more time, and what can I say other than holy shit. I mean, the terminal, exploitdb, ctf, challenges. Ande you are taking EZ to a whole nother level. Hats off to you my friend!

[lucid]

I WANT TO LOGIN!! When is our acct. info transferred over?

[Fur]

The client side hashing is done for obvious reasons: Not sending your password in plaintext to the server.

Theoretically, couldn't an attacker just modify the function if the site is not using https? I get that it would make password sniffing harder, but still. Oh, and wouldn't I need JS enabled just to login?
I skimmed this and this, and it's generally agreed to be insecure, but it does prevent the sniffer from logging into other sites that are using the same credentials, obviously (but you'd have to be stupid to use the same password twice).

Forgive me if some of this is fatally flawed, I just woke up and security isn't my speciality. Sorry if my tone sounds a bit unusual, I couldn't think of how to put it.
Anyway, merry Christmas.

[ande]

I WANT TO LOGIN!! When is our acct. info transferred over?

You can register

Theoretically, couldn't an attacker just modify the function if the site is not using https? I get that it would make password sniffing harder, but still. Oh, and wouldn't I need JS enabled just to login?
I skimmed this and this, and it's generally agreed to be insecure, but it does prevent the sniffer from logging into other sites that are using the same credentials, obviously (but you'd have to be stupid to use the same password twice).

Forgive me if some of this is fatally flawed, I just woke up and security isn't my speciality. Sorry if my tone sounds a bit unusual, I couldn't think of how to put it.
Anyway, merry Christmas.

If you modify the function to send some other form of hash you will not be able to log in because the server is expecting 100x SHA512 and anything else will just give you wrong username / password. Removing the function all together will give an error/warning message when the server detects you are sending in plaintext, and you wont be able to login.

When hashing the password at client side you ensure that sniffers only gets the hashed version of the password thus not revealing your actual password.

However, the password sent from a given account will always be the same as no sort of salt is introduced. So simply replying the same password and username would effectively log you in. Maybe one could implement the client's IP as salt, thus making it impossible for anyone else to use your pre/client-hashed password.

[ca0s]

I once made an implementation in which every user had to login with username + password + secret. Then, the hash was calculated with a SHA256-HMAC(password, secret), and username + hash were sent to the server. I was never sure about if that was secure or not, so I finally removed it.

Btw, looks amazing

[lucid]

You can register

Indeed, I was just wondering when my uber leet posts and super hardcore gmod status will be transferred. Although I imagine it won't be until the final release is out.