Jump to content


Sapphire Donator
  • Content Count

  • Joined

  • Last visited

  • Days Won


staysalty last won the day on January 27 2018

staysalty had the most liked content!

About staysalty

  • Rank

Recent Profile Visitors

480 profile views
  1. staysalty

    Tormented Demons Guide Preamble Recommended Stats Recommended Setup Getting There The Fight Good luck and have fun!
  2. staysalty

    I've never actually created an introduction, so I guess I'll go ahead and make one now. I'm salty, I go by a few names, some of you probably know them and am very well known around the Internet for my "endeavors". For this introduction, I'll just lay out some facts about myself: I'm old enough to know better, but to young to give a damn. I let my opinion be heard, whether you asked for it or not. I'm out spoken, arrogant, and rude at times. I believe that knowledge should be free, and you should always strive to learn something new every day. I'm 99% sure that my last words will be along the lines of; "What are you gonna do, stab me?" I've been to 17 different countries, and have been shot at in 9 of them. I play this server to escape reality, because everyone needs a place to go when life kicks them in the balls. If I've learned anything from this life, it's that nobody owes you anything. You see something you want, you find a way to get it. No exceptions. I believe you have not experienced life until you have seen the stars in the middle of a desert at night. I believe that most people have good intentions. I can be your best friend that will help you any way I can, or your worst enemy that you will never see coming. There you have it, some facts about myself. If you want to know more, feel free to ask. Love me or hate me, either one is a privilege.
  3. staysalty

    He thinks this because he is that wonderful man
  4. staysalty

    I've been looking around at the forums and have some suggestions that will make them better. Not only that it will make the forums reflect the high standard you have accumulated on the server, since this is the first thing anyone will see before playing the server. First impressions are everything: CSRF tokens You bluntly show the anti CSRF tokens in your URL. Along with this you allow users to go to the arena in which the tokens are not only created, but implemented as well. This is cause for concern since someone would be able to see the algorithm, create their own tokens, and try different approaches changing the token to make themselves look like a non-nefarious user. SSL There does not seem to be any SSL or HTTPS on this server. Nothing is encrypted, you allow clear text communication between the login and the server and send the information back and forth as clear text. This is not only bad, but it clearly defies basic web administration techniques to protect not only yourself, but your user as well. That counter I get what the purpose of the counter. I understand why it's there and why it is the way it is, but it's manipulative to users that aren't going to look as deep as I am. A simple count of the pings on your server would do that exact same thing. There's always at least 50+ on Onyx at a time, and that number should be shown. Now this; <li>Players Online: <strong>100+</strong> </li> <li class="servstatus">Server Status: <strong>Online</strong> </li> </ul> </div> This just shows new players that there is more going on than there is. This does not conform with the high standards yourselves have implemented onto your server because it's extremely low quality. HTTP Headers The only header protection you have against attacks from the client side is an XSS request protection header. There is no clickjacking protection, or anything else of the sort. For example I could use an automated tool such as Zeus to scan for attacks on your page; ~/bin/tools/zeus-scanner$ sudo python zeus.py -b "http://onyxftw.com/forum" --clickjacking --verbose [06:36:26 DEBUG] checking if the application has been run before [06:36:26 DEBUG] verifying operating system [06:36:26 DEBUG] already ran, skipping __ __________ __ / / \____ /____ __ __ ______ \ \ / / ______ / // __ \| | \/ ___/ ______ \ \ \ \ /_____/ / /\ ___/| | /\___ \ /_____/ / / \_\ /_______ \___ >____//____ > /_/ \/ \/ \/ v1.4.13.e5ac63(revision) https://github.com/ekultek/zeus-scanner.git Advanced Reconnaissance... [!] legal disclaimer: Usage of Zeus for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. [*] starting up at 06:36:26.. [06:36:26 DEBUG] running with options '{'runInVerbose': True, 'performClickjackingScan': True, 'spiderWebSite': 'http://onyxftw.com/forum'}' [06:36:26 INFO] log file being saved to '/home/baal/bin/tools/zeus-scanner/log/zeus-log-61.log' [06:36:26 DEBUG] using default search engine (Google) [06:36:26 INFO] using default search engine [06:36:26 DEBUG] settings user-agent to 'Zeus-Scanner/1.4.13.e5ac63 (Language=Python/2.7.13; Platform=Linux)' [06:36:26 INFO] starting blackwidow on 'http://onyxftw.com/forum' [06:36:26 DEBUG] testing connection to the URL [06:36:27 INFO] connection test succeeded, continuing [06:36:27 INFO] crawling given URL 'http://onyxftw.com/forum' for links [06:36:28 INFO] found a total of 226 links from given URL 'http://onyxftw.com/forum' [06:36:28 INFO] successfully wrote found items to '/home/baal/bin/tools/zeus-scanner/log/blackwidow-log/blackwidow-log-9.log' [06:36:28 INFO] currently running on 'http://onyxftw.com/forum/index.php?/*******/*********/' (target #1) [06:36:28 INFO] fetching target meta-data [06:36:28 INFO] detecting target charset [06:36:28 INFO] target charset appears to be 'utf-8' [06:36:28 DEBUG] loading XML data [06:36:28 INFO] attempting to get request headers for 'http://onyxftw.com/forum/index.php?/*******/*********/' [06:36:28 DEBUG] fetched {'Content-Length': '9009', 'X-XSS-Protection': '0', 'X-Powered-By': 'PHP/5.6.32', 'Accept-Ranges': 'bytes', 'Expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'Vary': 'Accept-Encoding', 'Server': 'LiteSpeed', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0', 'Date': 'Wed, 17 Jan 2018 12:36:28 GMT', 'Content-Type': 'text/html;charset=UTF-8', 'Content-Encoding': 'gzip'} [06:36:28 WARNING] provided target has protection against XSS attacks [06:36:28 INFO] writing found headers to log file [06:36:28 INFO] successfully wrote found items to '/home/baal/bin/tools/zeus-scanner/log/header-log/onyxftw.com(12).json' [06:36:28 PROMPT] would you like to process found URL: 'http://onyxftw.com/forum/index.php?/*******/*********/'[y/N]: y [06:36:49 INFO] it appears that provided URL 'http://onyxftw.com/forum/index.php?/*******/*********/' is vulnerable to clickjacking, writing to HTML file [06:36:49 INFO] successfully wrote found items to '/home/baal/bin/tools/zeus-scanner/log/clickjacking-log/onyxftw.com(1).html' Basic web administration should tell you to add clickjacking headers and tell you that you need to implement headers when needed. Not only this, but, you bluntly show your information in your headers. This information can be used to identify you. For example a simple request: ~$ python import Python 2.7.13 (default, Nov 23 2017, 15:37:09) [GCC 6.3.0 20170406] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import requests >>> req = requests.get("http://onyxftw.com") >>> req.headers {'Content-Length': '913', 'Content-Encoding': 'gzip', 'Accept-Ranges': 'bytes', 'X-Powered-By': 'PHP/5.6.32', 'Vary': 'Accept-Encoding', 'Server': 'LiteSpeed', 'Connection': 'close', 'Date': 'Wed, 17 Jan 2018 12:28:25 GMT', 'Content-Type': 'text/html; charset=UTF-8'} >>> What do we now know? Your content length, the type of PHP you're using, your server. Basic things that should be hidden are shown, and basic things that should be there are not. This clearly goes against web administration techniques to protect your users. Robots/sitemap There is not robots.txt on your page. Either that or it is in a different location. These pages help with indexing the webpage on search engines, do you want people to find you by Googling you? If so I'd highly suggest you look into creating both of them. This is basic web administration and search engine optimization that should have been implemented at the start of this webpage. Control panel login not hidden in configuration file This isn't as important as the others, but you allow end users to get to your control panel by forwarding to port 2082. IP address readily available By pining a certain protocol the IP address to your web server is provided, instead of the IP address that you hide while pinging other protocols. For example: This is about all I have for now. If you have any questions, or need some proof of concepts, ping me on discord, or in game. Thank you for your time and I hope you decide to fix these issues for not only the conformity of your standards, but for the safety of your user base as well.
  5. staysalty

    Making them untradeable would have a massive impact on the economy, and a poor one at that, because there are so many. What I would say is just keep making them so common that they eventually lose value over the actual item. I mean sure this will probably take awhile, and it would probably have some bad impacts on the situation at hand. But it would be a whole lot better then sending basically an eco reset through the system to make something untradeable. Like you said our eco is running on them, you can't just get rid of them. As for the afkshop it's a simple fix, that if you are idle for so many amount of minutes, the counter stops. Easily codeable and easily fixable. As long as you're just standing there for lets say 10 minutes, the counter quits counting.
  6. staysalty

    Make it so that we can actually use the lootbags

About Onyx

Onyx strives to bring the best service and experience any RSPS can offer! Here at Onyx we offer triangle based equality, balanced combat, high-quality updates, a supportive staff team that will cater to your every need. We're driven by the suggestions of our valued player base. We want YOU to decide what we need to add next.

Quick Links

Useful Links

  • Create New...