Jump to content

staysalty

Sapphire Donator
  • Content Count

    19
  • Joined

  • Last visited

  • Days Won

    2

staysalty last won the day on January 27 2018

staysalty had the most liked content!

About staysalty

  • Rank
    Newbie

Recent Profile Visitors

401 profile views
  1. staysalty

    Tormented Demons Guide Preamble: This guide assumes that you have all the recommended gear or better, but will also give multiple instances of how to gear your character. this guide also assumes that you have an Archlight. Recommended stats: 75+ Attack 80+ Strength 75+ Defence 75+ Ranged 43+ Prayer Recommended Gear: - Full slayer helm(if on task) > Helm of Neitiznot - Amulet of Fury > Amulet of Glory > Amulet of Power - Royal d'hide top > Karils top > Black d'hide top - Royal d'hide chaps > Karils skirt > Black d'hide chaps - Avas Assembler > Kiln Cape > Fire Cape - Barrows gloves - Prim boots > Dragon boots - Berserker ring > Ring of wealth Weapon: It is strongly encouraged to bring Arclight, this tutorial is going to assume that you have Arclight as a weapon. Decent setup example: If on a budget, royal d'hide can be replaced for black d'hide or karils. What to bring: - Unicorn familiar (for healing) - Healing aura scrolls - Super set (or overload) - Range pot (not needed if overload is brought) - 2-3 prayer pots (you can decrease this amount in favor of more food) - Toxic blowpipe (can be traded out with a crossbow rune or better. If doing this, bring broad bolts) - The rest should be a mix between karambwan and a high level healing food (mantas, sharks, rocks, etc..) Decent inventory setup example: How to get there: Donors: - If you are a donor, the easiest way to get there is to type ::tp > Dungeons and PVM locations > third page under Corp. Normal players: - If you are not a donor the easiest way to get there is type ::home > Blue portal > Dungeons and PVM locations > third page under Corp The fight: Once you teleport to the tormented demons dungeon, you will be in an old caverny looking place, run south and stand behind the first pillar: From here you can go ahead and pot up, heal yourself, do whatever you need to do to get ready for the fight. First thing you're going to want to do is pray mage and lure the TD (Tormented Demon) towards you one at a time. Keep in mind this is a multi-combat area, meaning more than one will attack you at once. So first things first, equip your range weapon, hit the demon, and lure him back away from the others, stand next to the first rock on the way back so that you can have enough distance between you two and the other demon: For the first few attacks the demon will have a shield up. So once he has been lured, go ahead and pull out your Arclight to get the shield down: Once the shield is down you're going to want to switch from mage protect to melee protect: At this point it will be just bouncing back and forth between range and melee attacks. When you notice that he has the range prayer up use melee, and vice versa. The games ticks seems to have an area on the TD's once the switch prayer. I would highly suggest hitting once more after they have switched prayer, it seems to have a decent effect on them during the switches. For example, lets say they switch to range from melee, while you are ranging them. Hit once more hit on the TD with range, it should be a decent hit and then switch to melee. If you've done everything right, you should kill the TD pretty easily. It is important to note that TD's use all three attack styles. They will use range and mage from a distance, and melee and mage up close. It is recommended to stay up close to them if you're going to solo them and to pray melee, they will hit you with mage splash. So when this happens do not panic, eat your food, and heal with your Unicorn. Watch out for their prayer swaps as well TD's will change from melee protect, to range protect. Be sure to be prepared to swap your attack weapon from melee to range. You should get between 2-5 kills per inventory soloing with this setup. Good luck and have fun.
  2. staysalty

    I've never actually created an introduction, so I guess I'll go ahead and make one now. I'm salty, I go by a few names, some of you probably know them and am very well known around the Internet for my "endeavors". For this introduction, I'll just lay out some facts about myself: I'm old enough to know better, but to young to give a damn. I let my opinion be heard, whether you asked for it or not. I'm out spoken, arrogant, and rude at times. I believe that knowledge should be free, and you should always strive to learn something new every day. I'm 99% sure that my last words will be along the lines of; "What are you gonna do, stab me?" I've been to 17 different countries, and have been shot at in 9 of them. I play this server to escape reality, because everyone needs a place to go when life kicks them in the balls. If I've learned anything from this life, it's that nobody owes you anything. You see something you want, you find a way to get it. No exceptions. I believe you have not experienced life until you have seen the stars in the middle of a desert at night. I believe that most people have good intentions. I can be your best friend that will help you any way I can, or your worst enemy that you will never see coming. There you have it, some facts about myself. If you want to know more, feel free to ask. Love me or hate me, either one is a privilege.
  3. staysalty

    He thinks this because he is that wonderful man
  4. staysalty

    I've been looking around at the forums and have some suggestions that will make them better. Not only that it will make the forums reflect the high standard you have accumulated on the server, since this is the first thing anyone will see before playing the server. First impressions are everything: CSRF tokens You bluntly show the anti CSRF tokens in your URL. Along with this you allow users to go to the arena in which the tokens are not only created, but implemented as well. This is cause for concern since someone would be able to see the algorithm, create their own tokens, and try different approaches changing the token to make themselves look like a non-nefarious user. SSL There does not seem to be any SSL or HTTPS on this server. Nothing is encrypted, you allow clear text communication between the login and the server and send the information back and forth as clear text. This is not only bad, but it clearly defies basic web administration techniques to protect not only yourself, but your user as well. That counter I get what the purpose of the counter. I understand why it's there and why it is the way it is, but it's manipulative to users that aren't going to look as deep as I am. A simple count of the pings on your server would do that exact same thing. There's always at least 50+ on Onyx at a time, and that number should be shown. Now this; <li>Players Online: <strong>100+</strong> </li> <li class="servstatus">Server Status: <strong>Online</strong> </li> </ul> </div> This just shows new players that there is more going on than there is. This does not conform with the high standards yourselves have implemented onto your server because it's extremely low quality. HTTP Headers The only header protection you have against attacks from the client side is an XSS request protection header. There is no clickjacking protection, or anything else of the sort. For example I could use an automated tool such as Zeus to scan for attacks on your page; ~/bin/tools/zeus-scanner$ sudo python zeus.py -b "http://onyxftw.com/forum" --clickjacking --verbose [06:36:26 DEBUG] checking if the application has been run before [06:36:26 DEBUG] verifying operating system [06:36:26 DEBUG] already ran, skipping __ __________ __ / / \____ /____ __ __ ______ \ \ / / ______ / // __ \| | \/ ___/ ______ \ \ \ \ /_____/ / /\ ___/| | /\___ \ /_____/ / / \_\ /_______ \___ >____//____ > /_/ \/ \/ \/ v1.4.13.e5ac63(revision) https://github.com/ekultek/zeus-scanner.git Advanced Reconnaissance... [!] legal disclaimer: Usage of Zeus for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting up at 06:36:26.. [06:36:26 DEBUG] running with options '{'runInVerbose': True, 'performClickjackingScan': True, 'spiderWebSite': 'http://onyxftw.com/forum'}' [06:36:26 INFO] log file being saved to '/home/baal/bin/tools/zeus-scanner/log/zeus-log-61.log' [06:36:26 DEBUG] using default search engine (Google) [06:36:26 INFO] using default search engine [06:36:26 DEBUG] settings user-agent to 'Zeus-Scanner/1.4.13.e5ac63 (Language=Python/2.7.13; Platform=Linux)' [06:36:26 INFO] starting blackwidow on 'http://onyxftw.com/forum' [06:36:26 DEBUG] testing connection to the URL [06:36:27 INFO] connection test succeeded, continuing [06:36:27 INFO] crawling given URL 'http://onyxftw.com/forum' for links [06:36:28 INFO] found a total of 226 links from given URL 'http://onyxftw.com/forum' [06:36:28 INFO] successfully wrote found items to '/home/baal/bin/tools/zeus-scanner/log/blackwidow-log/blackwidow-log-9.log' [06:36:28 INFO] currently running on 'http://onyxftw.com/forum/index.php?/*******/*********/' (target #1) [06:36:28 INFO] fetching target meta-data [06:36:28 INFO] detecting target charset [06:36:28 INFO] target charset appears to be 'utf-8' [06:36:28 DEBUG] loading XML data [06:36:28 INFO] attempting to get request headers for 'http://onyxftw.com/forum/index.php?/*******/*********/' [06:36:28 DEBUG] fetched {'Content-Length': '9009', 'X-XSS-Protection': '0', 'X-Powered-By': 'PHP/5.6.32', 'Accept-Ranges': 'bytes', 'Expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'Vary': 'Accept-Encoding', 'Server': 'LiteSpeed', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'Date': 'Wed, 17 Jan 2018 12:36:28 GMT', 'Content-Type': 'text/html;charset=UTF-8', 'Content-Encoding': 'gzip'} [06:36:28 WARNING] provided target has protection against XSS attacks [06:36:28 INFO] writing found headers to log file [06:36:28 INFO] successfully wrote found items to '/home/baal/bin/tools/zeus-scanner/log/header-log/onyxftw.com(12).json' [06:36:28 PROMPT] would you like to process found URL: 'http://onyxftw.com/forum/index.php?/*******/*********/'[y/N]: y [06:36:49 INFO] it appears that provided URL 'http://onyxftw.com/forum/index.php?/*******/*********/' is vulnerable to clickjacking, writing to HTML file [06:36:49 INFO] successfully wrote found items to '/home/baal/bin/tools/zeus-scanner/log/clickjacking-log/onyxftw.com(1).html' Basic web administration should tell you to add clickjacking headers and tell you that you need to implement headers when needed. Not only this, but, you bluntly show your information in your headers. This information can be used to identify you. For example a simple request: ~$ python import Python 2.7.13 (default, Nov 23 2017, 15:37:09) [GCC 6.3.0 20170406] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import requests >>> req = requests.get("http://onyxftw.com") >>> req.headers {'Content-Length': '913', 'Content-Encoding': 'gzip', 'Accept-Ranges': 'bytes', 'X-Powered-By': 'PHP/5.6.32', 'Vary': 'Accept-Encoding', 'Server': 'LiteSpeed', 'Connection': 'close', 'Date': 'Wed, 17 Jan 2018 12:28:25 GMT', 'Content-Type': 'text/html; charset=UTF-8'} >>> What do we now know? Your content length, the type of PHP you're using, your server. Basic things that should be hidden are shown, and basic things that should be there are not. This clearly goes against web administration techniques to protect your users. Robots/sitemap There is not robots.txt on your page. Either that or it is in a different location. These pages help with indexing the webpage on search engines, do you want people to find you by Googling you? If so I'd highly suggest you look into creating both of them. This is basic web administration and search engine optimization that should have been implemented at the start of this webpage. Control panel login not hidden in configuration file This isn't as important as the others, but you allow end users to get to your control panel by forwarding to port 2082. IP address readily available By pining a certain protocol the IP address to your web server is provided, instead of the IP address that you hide while pinging other protocols. For example: This is about all I have for now. If you have any questions, or need some proof of concepts, ping me on discord, or in game. Thank you for your time and I hope you decide to fix these issues for not only the conformity of your standards, but for the safety of your user base as well.
  5. staysalty

    Making them untradeable would have a massive impact on the economy, and a poor one at that, because there are so many. What I would say is just keep making them so common that they eventually lose value over the actual item. I mean sure this will probably take awhile, and it would probably have some bad impacts on the situation at hand. But it would be a whole lot better then sending basically an eco reset through the system to make something untradeable. Like you said our eco is running on them, you can't just get rid of them. As for the afkshop it's a simple fix, that if you are idle for so many amount of minutes, the counter stops. Easily codeable and easily fixable. As long as you're just standing there for lets say 10 minutes, the counter quits counting.
  6. staysalty

    Make it so that we can actually use the lootbags

About Onyx

Onyx strives to bring the best service and experience any RSPS can offer! Here at Onyx we offer triangle based equality, balanced combat, high-quality updates, a supportive staff team that will cater to your every need. We're driven by the suggestions of our valued player base. We want YOU to decide what we need to add next.

Quick Links

Useful Links

×
×
  • Create New...