|
Title: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 04:10:34 PM Hello, from 100bit.co.in. This is a new platform allowing buyers and sellers to directly exchange FIAT and Alt coins with each other against bitcoin. It is free to join the platform and exchange cost per trade is 0.1% of the trade amount. We announced start of our work in March 22, 2014 (https://bitcointalk.org/index.php?topic=526706.0) and now our BETA platform is ready. At this moment we are looking for some public testing to find some bugs that we might have missed. Please note that, merely mentioning a few bug wont earn you any bounty. You need to explain with example in PM and payment will be disbursed only after bugs are fixed.
Some people have already received payment for finding bugs: https://bitcointalk.org/index.php?topic=1012209.msg11041920#msg11041920 Please follow this link & register => www.100bit.co.in/register.php https://i.imgur.com/TwWmtEZ.png (http://www.100bit.co.in) Please note that, right now, we are in early BETA. Also https is not yet implemented. So, it is recommended NOT to trade big volume for now. If your country/currency is not in the list on registration page, please inform us here. Your feedback for any improvement is highly appreciated. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 04, 2015, 04:15:09 PM Hello, from 100bit.co.in. This is a new platform allowing buyers and sellers to directly exchange FIAT and Alt coins with each other against bitcoin. It is free to join the platform and exchange cost per trade is 0.1% of the trade amount. We announced start of our work in March 22, 2014 (https://bitcointalk.org/index.php?topic=526706.0) and now our BETA platform is ready. At this moment we are looking for some public testing to find some bugs that we might have missed. Please follow this link & register => www.100bit.co.in/register.php https://i.imgur.com/TwWmtEZ.png (http://www.100bit.co.in) Please note that, right now, we are in early BETA. Also https is not yet implemented. So, it is recommended NOT to trade big volume for now. If your country/currency is not in the list on registration page, please inform us here. Your feedback for any improvement is highly appreciated. I'm testing the site now, if i found something i will let you know. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: vishwaratna on April 04, 2015, 04:17:22 PM congracts for your site..
any joining bonus?? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Astargath on April 04, 2015, 04:19:36 PM This is not a bug but it is incredibly annoying to register and login, why dont you just let people chose their username instead of sending an email to confirm registration and then another email with your id wich is only numbers ?
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 04:30:34 PM I'm testing the site now, if i found something i will let you know. Thanks. The more people join, the better the testing will be. One needs to pick up order placed by another. congracts for your site.. any joining bonus?? Sorry... no joining bonus as such. :-\ This is not a bug but it is incredibly annoying to register and login, why dont you just let people chose their username instead of sending an email to confirm registration and then another email with your id wich is only numbers ? Sorry about the annoyance. It was in fact done on purpose not to create user id for those who puts in wrong email id for spamming. But, thank you for pointing it out. Feel free to point out anything else that might appear to be annoying to you. If we can change that, we will definitely do. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 04, 2015, 04:43:49 PM Ok, i finish the test and here is the report.
First of all, congrats for your site. Have a great looking. I just create a account, got 1 mail for the verification, and after that got another mail with the user to login, The register and login system work great. I take a look to the different pages on your site and only found one problem: You don't have catcha in the ticket "Create a New Support Ticket": http://i57.tinypic.com/2j2eovl.png (http://i57.tinypic.com/2j2eovl.png) If i use the next code, i can auto post a ticket; Code: VERSION BUILD=8920312 RECORDER=FX And that mean i can send you 1000 tickets if i want with a script. And was thinking in do it, but better report it here :D At the same time, i test your site with nikto to find some vulns, but you dont have any vuln. there. Code: [usr@localhost ~]$ nikto -h www.100bit.co.in Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MagicSnow on April 04, 2015, 05:06:55 PM Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch. mmh no the website is vulnerable to XSS and SQL injection Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 04, 2015, 05:29:46 PM Ok, i finish the test and here is the report. First of all, congrats for your site. Have a great looking. I just create a account, got 1 mail for the verification, and after that got another mail with the user to login, The register and login system work great. I take a look to the different pages on your site and only found one problem: You don't have catcha in the ticket "Create a New Support Ticket": http://i57.tinypic.com/2j2eovl.png (http://i57.tinypic.com/2j2eovl.png) If i use the next code, i can auto post a ticket; Code: VERSION BUILD=8920312 RECORDER=FX And that mean i can send you 1000 tickets if i want with a script. And was thinking in do it, but better report it here :D At the same time, i test your site with nikto to find some vulns, but you dont have any vuln. there. Code: [usr@localhost ~]$ nikto -h www.100bit.co.in Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch. Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch. mmh no the website is vulnerable to XSS and SQL injection I found another big problem. Users can inject code in http://www.100bit.co.in/settings.php > About me. http://i59.tinypic.com/2rxcxet.png http://i59.tinypic.com/2rxcxet.png Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 05:30:55 PM Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MagicSnow on April 04, 2015, 05:35:25 PM Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings. Thank you, btw the message from "seoincorporation" was sent after my PMs (listing more vulnerability and in details) Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: geforcelover on April 04, 2015, 05:36:43 PM your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it.
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Astargath on April 04, 2015, 05:38:53 PM Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 04, 2015, 05:39:19 PM Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings. I send you my addy in a PM. The problem i found: 1.-No captcha in the "Create a New Support Ticket" 2.-Can inject code on "http://www.100bit.co.in/settings.php > About me" I make some test and dont find a vuln for xss Code: [usr@localhost ~]$ nmap -p80 --script http-stored-xss www.100bit.co.in And about SQL injection im not sure. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 04, 2015, 06:14:32 PM Find another one.
I can inject code in: http://www.100bit.co.in/order.php > Preferred payment mode (optional): http://i62.tinypic.com/vq5jlf.png http://i62.tinypic.com/vq5jlf.png (http://i62.tinypic.com/vq5jlf.png) http://i59.tinypic.com/wmf983.png http://i59.tinypic.com/wmf983.png (http://i59.tinypic.com/wmf983.png) Make a test with <a href="http://cash.com">Cash</a>, and in the second try i test with <img src="...">. ***UPDATE*** I can inject code in the Ticket support too... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: franckuestein on April 04, 2015, 06:41:19 PM Hi devs and congrats for the site!
I was trying the most common things that a "normal" user would do with your site and I've found some interesting details. This is not a bug, but first of all, take a look to the "Lost you password (http://www.100bit.co.in/recover.php)" page. There's a mistake because it's Forgot Password and not Forgot Passowrd :D (in the header and in the button). Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form ;) Another thing: If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning: This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in. As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account. And the last thing :) I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage. Hope to help you! :P Good luck 100bit team! Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Astargath on April 04, 2015, 06:55:25 PM In the country selection option why are there so little countries to chose from? And why it says europe as a country
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 06:58:11 PM I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage. Hope to help you! :P Good luck 100bit team! Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP. Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Roberson on April 04, 2015, 07:02:05 PM ERROR FOUND !
http://www.100bit.co.in/recover.php when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email. i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 04, 2015, 07:04:36 PM I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage. Hope to help you! :P Good luck 100bit team! Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP. Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ? http://i62.tinypic.com/vq5jlf.png http://i62.tinypic.com/vq5jlf.png (http://i62.tinypic.com/vq5jlf.png) i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 04, 2015, 07:22:59 PM I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 08:34:54 PM I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported??? Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM. It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Roberson on April 04, 2015, 08:35:42 PM did you checkd the error i told, will i get my bounty ?
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 10:02:01 PM ERROR FOUND ! http://www.100bit.co.in/recover.php when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email. i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw did you checkd the error i told, will i get my bounty ? Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Roberson on April 04, 2015, 10:04:14 PM ERROR FOUND ! http://www.100bit.co.in/recover.php when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email. i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw did you checkd the error i told, will i get my bounty ? Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ? yes it looks fixed now, same page is there, so good now, waiting for bounty ;) Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 10:19:35 PM This is not a bug, but first of all, take a look to the "Lost you password (http://www.100bit.co.in/recover.php)" page. There's a mistake because it's Forgot Password and not Forgot Passowrd :D (in the header and in the button). Thanks for pointing out. Should be fixed by now. Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form ;) This is because you clicked the authentication link twice. We prefer to keep it this way, because if for some reason the mail function does not work in the first click, recipient can click it again to get his/her "Account Creation" mail. Another thing: If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning: This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in. As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account. Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 10:30:41 PM your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it. 1. 2FA might be implemented after some time. I would like to mention here that 100bit.co.in does not require your fund to stay deposited in any site wallet. User just need to deposit fund only when a trade is in progress. So, even if your account is compromised when you are not doing a trade, it will not financially affect you. 2. If you have registered an account, you need to authenticate it by clicking a link sent to your email ID. If you have forgot your password, you may recover it through your authenticated email ID. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: franckuestein on April 04, 2015, 10:34:04 PM Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ? i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection. Yes, what I was saying is that the problem wasn't just on the buy-order text box or in the About me box from your site, it was on the support zone of 100bit.co.in, too :D Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID. Ok, now I tried to log-in with a random ID and the log-in form return only this message: You have entered wrong login credentials or your account is not activated. IMO, now it's ok, because then I logged in with the correct credentials and it's working. Cheers! Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 04, 2015, 10:45:01 PM Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works 100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile. In the country selection option why are there so little countries to chose from? And why it says europe as a country We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 05, 2015, 04:13:35 AM I still waiting the payment, how much i will get for my reported bugs?
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Mehek on April 05, 2015, 04:33:53 AM seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool..
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: RealPhotoshoper on April 05, 2015, 05:18:49 AM i have try your site, register and i have found this ,
https://i.imgur.com/qPuOYR2.png?1 maybe you can use NOREPLY email, so no one will reply to those mail. also i found this, https://i.imgur.com/83cOvEh.png while i input wrong captcha the form that i have filled got blank form again.At the moment we register a site using the form , when there is an error ( eg, the desired user name is already used ) , then we returned to the original register page with an error message . If you notice , all the forms are pre-filled automatically repopulate so we do not need to input all the forms , but just fix the wrong section . Form filled itself will greatly help the user to correct the wrong form field . Imagine if we fill out a form with 15 input box , only then forced to enter again all the input boxes for one fill date format on one input people will lazy to filled out the form again you can utilizing the $ _GET variable and headers function header. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Roberson on April 05, 2015, 09:21:33 AM No bounty yet received !
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Astargath on April 05, 2015, 10:39:11 AM Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works 100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile. In the country selection option why are there so little countries to chose from? And why it says europe as a country We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP. Well for instance you should add Spain and Romania aswell, Poland is there thats why i was confused about Europe. So you should add all the countries in europe Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: RealPhotoshoper on April 05, 2015, 03:32:52 PM no one get paid? okay i would suggest you op to use escrow , so no one worry about scamming or something else.
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 05, 2015, 03:55:13 PM I still waiting the payment, how much i will get for my reported bugs? No bounty yet received ! No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Mehek on April 05, 2015, 04:11:53 PM anyone can say me that how can i deposit funds in it
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 05, 2015, 04:25:47 PM I still waiting the payment, how much i will get for my reported bugs? No bounty yet received ! No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time. Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get? Have a great Easter. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 05, 2015, 04:30:32 PM seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool.. anyone can say me that how can i deposit funds in it 100bit.co.in does not require your fund to stay deposited in any site wallet. User just needs to deposit fund only when a trade is in progress. That is why, as a seller, you'll get a deposit address only when you start a trade with someone. As soon as the trade is over, i.e. you accept receiving FIAT/Alt coin from the buyer, your fund will be released and go to buyer's bitcoin address. So, in case of any security breach, you will remain unaffected unless you are doing trade exactly at that moment. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: amiryaqot on April 05, 2015, 04:36:57 PM I still waiting the payment, how much i will get for my reported bugs? No bounty yet received ! No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time. Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get? Have a great Easter. i also register there but did not get confirmation email from 2 hours of waiting? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 05, 2015, 06:06:18 PM I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported??? Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM. It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part... By order execution I think you mean the order.php page??? If yes there is XSS in that page http://www.100bit.co.in/order.php Code: POST params: order_type=Buy&order_amt_in_btc=123"""><script>alert(12)</script>&order_amt_in_currency=aaa"""><script>alert(13)</script>¤cy=aaa"""><script>alert(14)</script>&order_country=aaa"""><script>alert(15)</script>&order=Post+Order&order_payment_mode=aaa"""><script>alert(16)</script> Here when you will POST this data you will see prompt "14", "15" and "16" which proves there is XSS in params => currency, order_country and order_payment_mode. http://i59.tinypic.com/2cwy81.jpg http://i60.tinypic.com/2iuoolz.png Please let me know do this qualify for bounty if its unreported vuln? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 05, 2015, 06:23:42 PM In http://www.100bit.co.in/settings.php
the name testbox is also vulnerable to xss if you enter Code: sbank"><script>alert(12);</script> you will be able to see prompt Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 05, 2015, 07:57:08 PM XSS attack & SQL injection problem on all pages are already known and those bounties will go for mainly to MagicSnow & partly to seoincorporation. Requesting everyone to find some other bug.
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: PotatoPie on April 05, 2015, 09:30:10 PM 1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless.
2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi) 3. No CSRF protection anywhere 4. Vulnerable to clickjacking. 5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page. 6. "Name" on settings page vulnerable to XSS. 7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on. 8. Payment mode on the orders page is vuln to persistent XSS. 9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid] 10. Persistent XSS in orders page by editing currency or country POST fields. 11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED. 12. About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site. 13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them 14. XSS on the reply field of the ticket system. 15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them. I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP. Regards, PotatoPie. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Roberson on April 05, 2015, 09:59:31 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 05, 2015, 10:12:17 PM 1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless. 2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi) 3. No CSRF protection anywhere 4. Vulnerable to clickjacking. 5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page. 6. "Name" on settings page vulnerable to XSS. 7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on. 8. Payment mode on the orders page is vuln to persistent XSS. 9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid] 10. Persistent XSS in orders page by editing currency or country POST fields. 11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED. 12. About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site. 13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them 14. XSS on the reply field of the ticket system. 15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them. I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP. Regards, PotatoPie. Thanks for the list. Most of your points are related to XSS or SQLi attack, which are already known and will be fixed soon. Once those are fixed, I'll PM you to check if you can still find problem and if you do, you'll definitely be awarded bounty for that. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 05, 2015, 10:13:39 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 05, 2015, 10:46:54 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? And when you will pay the bounty :-\ more than 1 day waiting now... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: BitcoinExchangeIndia.com on April 05, 2015, 10:53:04 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? And when you will pay the bounty :-\ more than 1 day waiting now... I think OP already stated it before... No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: RealPhotoshoper on April 05, 2015, 11:02:11 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty? Thanks Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 05, 2015, 11:17:19 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty? Thanks http://roflnlol.com/wp-content/uploads/2013/01/when-facepalmnot-enough.jpg Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 05, 2015, 11:35:52 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty? Thanks XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: PotatoPie on April 06, 2015, 12:18:46 AM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty? Thanks XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch. If you read over my list, you'd see a few. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 06, 2015, 12:35:34 AM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty? Thanks XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch. But when we will get it? what are we waiting? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 06, 2015, 05:32:41 PM Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day ! You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ? in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty? Thanks XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch. But when we will get it? what are we waiting? Payment will be sent to all together after fixing those issues. At this moment some of the issues are solved and we are PMing those who raised it. After resolution of the raised bugs everyone will be paid together. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 09, 2015, 03:29:41 PM As promised, here is the list of bug bounty winners...
MagicSnow (https://bitcointalk.org/index.php?action=profile;u=239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1 Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion. seoincorporation (https://bitcointalk.org/index.php?action=profile;u=334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05 Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before. franckuestein (https://bitcointalk.org/index.php?action=profile;u=225121) => 0.01 Bugs Found: Spelling Mistake Roberson (https://bitcointalk.org/index.php?action=profile;u=490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03 Bugs Found: Found 404 error led by broken link RealPhotoshoper (https://bitcointalk.org/index.php?action=profile;u=497745) => ? = 0.03 Bugs Found: Blank registration page after wrong input and a Good suggestion for email At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Coinbuddy on April 09, 2015, 05:55:39 PM It says
Please provide an eight character alphanumeric password. But i can set password as "abcdefig" Another thing I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot! Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: RealPhotoshoper on April 09, 2015, 08:04:25 PM received my payment thanks! goodluck for your business!
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 09, 2015, 09:47:27 PM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.
It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 09, 2015, 10:01:15 PM Also there is a full path disclosure vulnerability in captcha.php
If you save the captcha image from this page and view in hex editor you can see the complete server path to the file. http://i62.tinypic.com/21e6g77.png Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Jimmy Wales on April 09, 2015, 10:10:07 PM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 09, 2015, 10:16:46 PM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Jimmy Wales on April 09, 2015, 10:24:20 PM Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 09, 2015, 10:28:06 PM Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ? I am not aware it was there before or not but seems to be fixed now. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: PotatoPie on April 10, 2015, 03:58:51 AM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 10, 2015, 11:59:08 AM As promised, here is the list of bug bounty winners... MagicSnow (https://bitcointalk.org/index.php?action=profile;u=239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1 Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion. seoincorporation (https://bitcointalk.org/index.php?action=profile;u=334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05 Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before. franckuestein (https://bitcointalk.org/index.php?action=profile;u=225121) => 0.01 Bugs Found: Spelling Mistake Roberson (https://bitcointalk.org/index.php?action=profile;u=490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03 Bugs Found: Found 404 error led by broken link RealPhotoshoper (https://bitcointalk.org/index.php?action=profile;u=497745) => ? = 0.03 Bugs Found: Blank registration page after wrong input and a Good suggestion for email At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him. All of them have been paid... https://blockchain.info/tx/8b8c6380391edd484571722696548710a7c6ebc1f82618dd25507037a0c4fb2b @PotatoPie Previously we sent you a PM which you did not reply. We have sent you another PM. If you still do not reply, we can not reward you any bug bounty. Whoever is finding the bug needs to respond to our PM so that we can fix those issues. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Coinbuddy on April 10, 2015, 01:24:14 PM It says Please provide an eight character alphanumeric password. But i can set password as "abcdefig" Another thing I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot! @100bitcoin I think you missed this Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: seoincorporation on April 10, 2015, 02:54:31 PM As promised, here is the list of bug bounty winners... MagicSnow (https://bitcointalk.org/index.php?action=profile;u=239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1 Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion. seoincorporation (https://bitcointalk.org/index.php?action=profile;u=334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05 Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before. franckuestein (https://bitcointalk.org/index.php?action=profile;u=225121) => 0.01 Bugs Found: Spelling Mistake Roberson (https://bitcointalk.org/index.php?action=profile;u=490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03 Bugs Found: Found 404 error led by broken link RealPhotoshoper (https://bitcointalk.org/index.php?action=profile;u=497745) => ? = 0.03 Bugs Found: Blank registration page after wrong input and a Good suggestion for email At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him. All of them have been paid... https://blockchain.info/tx/8b8c6380391edd484571722696548710a7c6ebc1f82618dd25507037a0c4fb2b @PotatoPie Previously we sent you a PM which you did not reply. We have sent you another PM. If you still do not reply, we can not reward you any bug bounty. Whoever is finding the bug needs to respond to our PM so that we can fix those issues. I get the 0.05 payment, thx to user 100Bitcoin. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 10, 2015, 04:29:19 PM It says Requesting users to provide alphanumeric password is a suggestion for strong password. But, if someone provides a weak one, it is their choice and we allow it.Please provide an eight character alphanumeric password. But i can set password as "abcdefig" Another thing Unless the CAPTCHA is broken, one can not spam the system using bot instead of allowing blank post in subject/description.I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot! Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Jimmy Wales on April 10, 2015, 04:36:58 PM Also there is a full path disclosure vulnerability in captcha.php If you save the captcha image from this page and view in hex editor you can see the complete server path to the file. http://i62.tinypic.com/21e6g77.png Is it a bug ? How does it affect the service ? What harm an attacker can do by knowing the full path of captcha.php ? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: andulolika on April 10, 2015, 05:17:51 PM Hey if you ever think about translating the webpage i can do Spanish and Romanian, English and between themselves.
Thanks. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 10, 2015, 09:31:40 PM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it. If you reported it before me then you should get the bounty. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 14, 2015, 12:34:40 AM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it. If you reported it before me then you should get the bounty. Can you please check if the bugs you mentioned still do exist in the system or they are fixed now ? Please do let us know if you can find any other bug. Please PM us with example. Also, please provide your bitcoin address... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: btc_enigma on April 14, 2015, 08:11:37 AM Register is not working
When i clicked on activation email Quote http://100bit.co.in/authenticate.php?user_id=5uD5a%2BbTvEY9K%2F3jT2%2Fc13slAAw8VxCmngaR6O1YaD8%3D Its redirecting to register page and doing nothing Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Jimmy Wales on April 14, 2015, 03:39:13 PM Register is not working When i clicked on activation email Quote http://100bit.co.in/authenticate.php?user_id=5uD5a%2BbTvEY9K%2F3jT2%2Fc13slAAw8VxCmngaR6O1YaD8%3D Its redirecting to register page and doing nothing It seems the registration page clearly states the following... Quote Warning! We are working on the system. New registration is disabled for now. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 14, 2015, 05:31:17 PM Register is not working When i clicked on activation email Quote http://100bit.co.in/authenticate.php?user_id=5uD5a%2BbTvEY9K%2F3jT2%2Fc13slAAw8VxCmngaR6O1YaD8%3D Its redirecting to register page and doing nothing It seems the registration page clearly states the following... Quote Warning! We are working on the system. New registration is disabled for now. We have enabled new registration again... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Mehek on April 15, 2015, 01:01:37 AM hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Jimmy Wales on April 15, 2015, 09:39:47 AM hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this I dont think they can do much about it. Google NoCaptcha ReCaptcha does not work on partial javascript browsers like Opera Mini or old IE browsers. That should not be counted as a bug. As such Google NoCaptcha ReCaptcha is a very safe and reliable one. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Johny Depp on April 15, 2015, 03:51:40 PM Could not find any more bug. When do you plan to remove the warning from registration page ?
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: mrhelpful on April 15, 2015, 04:13:06 PM At this point, I dont think theres any bugs to find.
I could be wrong, but the very basic ones that were obvious are long gone for some free btc lol. So anyone hoping to get it that way youre out of luck, its more of the indepth coder to see if its vulnerable or not. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: googleindo on April 20, 2015, 12:00:20 AM what is this? http://www.100bit.co.in/admin , let me know if this helpful.
also maybe in 404 error page you should added text like " the page is not found " or something else Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: btc_enigma on April 20, 2015, 01:14:39 PM I can register with multiple emailids (sepearated by commas) in registration page
Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 21, 2015, 09:30:20 AM what is this? http://www.100bit.co.in/admin , let me know if this helpful. also maybe in 404 error page you should added text like " the page is not found " or something else Like every user ID, admin ID can be seen as well. That is no bug. 404 error page is already in place - www.100bit.co.in/error404.php Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MoonOfLife on April 22, 2015, 10:51:24 AM in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id edit: and .. i found this http://s1.postimg.org/b4h2tgay3/Untitled.jpg (http://postimg.org/image/b4h2tgay3/) just click thats image from http://www.100bit.co.in/home.php if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 22, 2015, 05:56:35 PM in seting we cant edit our user id ? i think you need add this seting ,, cause i cant remember my user id edit: and .. i found this http://s1.postimg.org/b4h2tgay3/Untitled.jpg (http://postimg.org/image/b4h2tgay3/) just click thats image from http://www.100bit.co.in/home.php if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox. You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in". None of the above are bug. Thanks for trying anyway... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MoonOfLife on April 23, 2015, 02:15:34 AM in seting we cant edit our user id ? i think you need add this seting ,, cause i cant remember my user id edit: and .. i found this http://s1.postimg.org/b4h2tgay3/Untitled.jpg (http://postimg.org/image/b4h2tgay3/) just click thats image from http://www.100bit.co.in/home.php if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox. You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in". None of the above are bug. Thanks for trying anyway... i think its a bug , because at other site doesnt like that here my address : 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd if you want to send some BTC Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Albert Hamilton on April 24, 2015, 02:10:47 PM in seting we cant edit our user id ? i think you need add this seting ,, cause i cant remember my user id edit: and .. i found this http://s1.postimg.org/b4h2tgay3/Untitled.jpg (http://postimg.org/image/b4h2tgay3/) just click thats image from http://www.100bit.co.in/home.php if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox. You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in". None of the above are bug. Thanks for trying anyway... i think its a bug , because at other site doesnt like that here my address : 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd if you want to send some BTC To me, these do not appear to be bug. These are more of improvement suggestion... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 26, 2015, 07:55:12 PM I can register with multiple emailids (sepearated by commas) in registration page This one is expected to be fixed now. Please check at your end and let us know. Also, please provide your bitcoin address for a small bounty. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MoonOfLife on April 27, 2015, 06:12:35 AM suggestion
> add photo profile in seting > change dashboard [ because your dashnboard is doesnt interesting ] > add new feature on your site [ like forum on your site ] > can sell LTC > enable contac seller for discount or anything *lol _________ for bug .. i think its doesnt bug in your site again _______ ask 03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA what is that it show up after in password after write captcha your site say " please copy this ... " Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: GiocareHost on April 27, 2015, 09:42:04 AM I HAVE A BUG TO REPORT.
1.)Your website is vulnerable to Brute-force attack,since the login form is not asking for Captcha's(No captcha on the home page Login Box). 2.)Registration form without CSRF protection. 3.)Session cookie is without Secure flag set & HTTP only flag set. 4.)Vulnerable to Click jacking. In total I have detected 4 Major bugs which can be very harmful for your site. I can explain them to you,if you want. I hope you will not break your promise and send me 0.4 BTC to 1FzWfTTy8YCh1fRBBZ9Fuyym85Xoe4qYL8 add one more bug, user details are transmitted over an unencrypted channel. That makes it 0.5BTC Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: CoinFriend on April 27, 2015, 06:08:01 PM hey admin, why do you have two different threads?
why is no information about the BETA status on your website? and why do you provide so less information about your site. why you didn't answer my questions personally on the other thread? https://bitcointalk.org/index.php?topic=985796.0 Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Victor Beckham on April 27, 2015, 06:17:36 PM I HAVE A BUG TO REPORT. 1.)Your website is vulnerable to Brute-force attack,since the login form is not asking for Captcha's(No captcha on the home page Login Box). 2.)Registration form without CSRF protection. 3.)Session cookie is without Secure flag set & HTTP only flag set. 4.)Vulnerable to Click jacking. In total I have detected 4 Major bugs which can be very harmful for your site. I can explain them to you,if you want. I hope you will not break your promise and send me 0.4 BTC to 1FzWfTTy8YCh1fRBBZ9Fuyym85Xoe4qYL8 add one more bug, user details are transmitted over an unencrypted channel. That makes it 0.5BTC LoLz... according to OP, you may get up to 0.1BTC. It is not 0.1BTC per bug. Check about the others who got paid before you. They found more bugs than you have found. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Albert Hamilton on April 27, 2015, 06:53:03 PM hey admin, why do you have two different threads? why is no information about the BETA status on your website? and why do you provide so less information about your site. why you didn't answer my questions personally on the other thread? https://bitcointalk.org/index.php?topic=985796.0 As I can see, the registration page clearly says that the site is in BETA... www.100bit.co.in/register.php Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 27, 2015, 10:12:32 PM I HAVE A BUG TO REPORT. 1.)Your website is vulnerable to Brute-force attack,since the login form is not asking for Captcha's(No captcha on the home page Login Box). 2.)Registration form without CSRF protection. 3.)Session cookie is without Secure flag set & HTTP only flag set. 4.)Vulnerable to Click jacking. In total I have detected 4 Major bugs which can be very harmful for your site. I can explain them to you,if you want. I hope you will not break your promise and send me 0.4 BTC to 1FzWfTTy8YCh1fRBBZ9Fuyym85Xoe4qYL8 add one more bug, user details are transmitted over an unencrypted channel. That makes it 0.5BTC Please note that, maximum payment you may receive is 0.1BTC and you need to provide explanation of your bugs. We have sent you PM regarding this. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 27, 2015, 10:19:49 PM suggestion > add photo profile in seting > change dashboard [ because your dashnboard is doesnt interesting ] > add new feature on your site [ like forum on your site ] > can sell LTC > enable contac seller for discount or anything *lol _________ for bug .. i think its doesnt bug in your site again Thank you for the suggestions. You can already sell LTC and communicate with seller when the order is in progress. Nice to know that you did not find any bug. ask 03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA what is that it show up after in password after write captcha your site say " please copy this ... " Can you please provide a screenshot of this ? Also, please let us know when you are getting this and in which browser. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 27, 2015, 10:29:01 PM hey admin, why do you have two different threads? why is no information about the BETA status on your website? and why do you provide so less information about your site. why you didn't answer my questions personally on the other thread? https://bitcointalk.org/index.php?topic=985796.0 Extremely sorry for the delay. We were little busy in providing support on the site. We have replied to you in the Active Trader thread as well. This one is for bug bounty. So, there are 2 different threads. Thank you for your interest. :) Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MoonOfLife on April 28, 2015, 01:31:11 AM suggestion > add photo profile in seting > change dashboard [ because your dashnboard is doesnt interesting ] > add new feature on your site [ like forum on your site ] > can sell LTC > enable contac seller for discount or anything *lol _________ for bug .. i think its doesnt bug in your site again Thank you for the suggestions. You can already sell LTC and communicate with seller when the order is in progress. Nice to know that you did not find any bug. ask 03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA what is that it show up after in password after write captcha your site say " please copy this ... " Can you please provide a screenshot of this ? Also, please let us know when you are getting this and in which browser. sorry i forget screenshot browser :UcBrowser [ mobile browser ] and can u add : > converter btc to any currency > and currency BTC to $ graph i will very thx if you donate me / pay me for some btc 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Albert Hamilton on April 28, 2015, 10:53:21 AM I HAVE A BUG TO REPORT. 1.)Your website is vulnerable to Brute-force attack,since the login form is not asking for Captcha's(No captcha on the home page Login Box). I wonder how do u brute-force here ? They are behind CloudFlare. Your loop wont work from browser/iframe/command prompt. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: CoinFriend on April 28, 2015, 11:43:00 AM hey admin, why do you have two different threads? why is no information about the BETA status on your website? and why do you provide so less information about your site. why you didn't answer my questions personally on the other thread? https://bitcointalk.org/index.php?topic=985796.0 Extremely sorry for the delay. We were little busy in providing support on the site. We have replied to you in the Active Trader thread as well. This one is for bug bounty. So, there are 2 different threads. Thank you for your interest. :) thanks for reply. I am a little bit confused now. I don't understand why you didn't offer the same reward for the active traders, for finding bugs. Does someone who is active not deserve a reward if he found something wrong? And why is there no information / link about the other thread on each? Are this both really the only two? Or is there also one where you explain how your site works and what i can do with your site? I like to know this information before i fill out register form on a site! And yeah, i understand that you must be busy if you have to manage two threads to support your site^^ Later i have look what you reply in the Active Trader thread as well... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: GiocareHost on April 28, 2015, 02:21:29 PM I HAVE A BUG TO REPORT. 1.)Your website is vulnerable to Brute-force attack,since the login form is not asking for Captcha's(No captcha on the home page Login Box). I wonder how do u brute-force here ? They are behind CloudFlare. Your loop wont work from browser/iframe/command prompt. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: Albert Hamilton on April 28, 2015, 03:34:02 PM I HAVE A BUG TO REPORT. 1.)Your website is vulnerable to Brute-force attack,since the login form is not asking for Captcha's(No captcha on the home page Login Box). I wonder how do u brute-force here ? They are behind CloudFlare. Your loop wont work from browser/iframe/command prompt. I'm under attack mode is available under free plan only. Moreover they initially had a CAPTCHA on the home page as well as you'll find in the screenshot in OP. May be they are not using it right now for some reason... Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 28, 2015, 04:33:05 PM suggestion > add photo profile in seting > change dashboard [ because your dashnboard is doesnt interesting ] > add new feature on your site [ like forum on your site ] > can sell LTC > enable contac seller for discount or anything *lol _________ for bug .. i think its doesnt bug in your site again Thank you for the suggestions. You can already sell LTC and communicate with seller when the order is in progress. Nice to know that you did not find any bug. ask 03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA what is that it show up after in password after write captcha your site say " please copy this ... " Can you please provide a screenshot of this ? Also, please let us know when you are getting this and in which browser. sorry i forget screenshot browser :UcBrowser [ mobile browser ] and can u add : > converter btc to any currency > and currency BTC to $ graph i will very thx if you donate me / pay me for some btc 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd It is good if you can recreate the situation, take a screenshot and post. If it is found to be a bug, u might win a small bounty. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 28, 2015, 04:40:49 PM hey admin, why do you have two different threads? why is no information about the BETA status on your website? and why do you provide so less information about your site. why you didn't answer my questions personally on the other thread? https://bitcointalk.org/index.php?topic=985796.0 Extremely sorry for the delay. We were little busy in providing support on the site. We have replied to you in the Active Trader thread as well. This one is for bug bounty. So, there are 2 different threads. Thank you for your interest. :) thanks for reply. I am a little bit confused now. I don't understand why you didn't offer the same reward for the active traders, for finding bugs. Does someone who is active not deserve a reward if he found something wrong? And why is there no information / link about the other thread on each? Are this both really the only two? Or is there also one where you explain how your site works and what i can do with your site? I like to know this information before i fill out register form on a site! And yeah, i understand that you must be busy if you have to manage two threads to support your site^^ Later i have look what you reply in the Active Trader thread as well... 1. Of course traders may find bug and we appreciate that. But, we have some forum structure here where different sub-forum has different significance. Bug bounty does not go for Trading Discussion. So we posted it here. Traders can easily participate here. 2. You are correct indeed. We might do cross-linking for more exposure. You will also find our service announcement thread in our signature only. How things work on www.100bit.co.in is on the home page only. Just click on the Click to learn more about 100bit.co.in link on the home page. In future we have plan for video tutorial as well. 3. I was not busy on these 2 threads. I was busy on the site support. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MoonOfLife on April 28, 2015, 04:45:34 PM Code: Page Found: http://www.100bit.co.in/admin.php nice site .. i like your trap ;D page found but all of them is " 302 Moved Temporarily " http://www.100bit.co.in/root/ OK http://www.100bit.co.in/admin/ OK http://www.100bit.co.in/common 200 OK :o this is place your template ... right ? but is moved :o Analyzing http://www.100bit.co.in/*/ with defined injection point Injecting into defined injection point by user Host IP: 104.28.29.49 Web Server: cloudflare-nginx Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: MoonOfLife on April 28, 2015, 05:18:21 PM suggestion > add photo profile in seting > change dashboard [ because your dashnboard is doesnt interesting ] > add new feature on your site [ like forum on your site ] > can sell LTC > enable contac seller for discount or anything *lol _________ for bug .. i think its doesnt bug in your site again Thank you for the suggestions. You can already sell LTC and communicate with seller when the order is in progress. Nice to know that you did not find any bug. ask 03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA what is that it show up after in password after write captcha your site say " please copy this ... " Can you please provide a screenshot of this ? Also, please let us know when you are getting this and in which browser. sorry i forget screenshot browser :UcBrowser [ mobile browser ] and can u add : > converter btc to any currency > and currency BTC to $ graph i will very thx if you donate me / pay me for some btc 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd It is good if you can recreate the situation, take a screenshot and post. If it is found to be a bug, u might win a small bounty. ok .. im understand now what is this " 03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA " this is like api_key just place it in https://www.google.com/recaptcha/api2/payload?c=............ it will show up the image captcha like this https://www.google.com/recaptcha/api2/payload?c=03AHJ_VuvV2iRHYBU8lOOJl3wcEZOtGIswnfHNtYlyB-8erRL7eHlQFhEamx1KopiwpP9SR7DA0hAmn5yOBEhK5b9FpJcJgTHk5dcx4tG1dfh_G2F8AKeyQRznRHX4EWhuqQpcMQS1jKIc5sCp1Vk-DsHkDAPOK5ctYv8_1rTGNPxZkZ6BOCSvI8GukEi8X7DNifqCDBB9KOS5jDFKHXB0FtfLQfKj5K8fBbpDkgoBpl05tpow0LyiopnU35JRK7vERHm0QOcli0sC-ldrOB4qe_shDMOQP2mUmYslU_Qz6tkTa_4eJ5Z7kzh5Smwdn__vpKIdTTnXs78Zabq30Tsf84Hu0XMnQgRXh0oD4LqYr3-VNZivqh712KyW30wUJHhWWVj6yfooyH4JoVMpuUmTXPbcdA_nQ1bmMg&k=6LeZMQUTAAAAANZFVY3bMj-3FumZdL8EUSasyL42 it will delete api every 5 minute *if you want to see your api just click right and save image url > copy + paste > and https://www.google.com/*/*/payload?c={your api} _______ and i have method to bypass your captcha test here : http://www.100bit.co.in/recover.php 1. dont write your email because waste your 1 sec time *lol 2. click verify 3. captcha will show up 4. go to register page 5. back again 6. verify and you are not robot ;D note : it just waste your time ,, haha. but you can make some script imacros for spam recover password until the mailer die hahahahaha Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: sbankerdemon on April 28, 2015, 08:45:42 PM your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example Code: https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: http://i59.tinypic.com/34ijko2.png It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it. If you reported it before me then you should get the bounty. Can you please check if the bugs you mentioned still do exist in the system or they are fixed now ? Please do let us know if you can find any other bug. Please PM us with example. Also, please provide your bitcoin address... The captcha now is fine. However I think users can delete other users orders still. Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on April 28, 2015, 09:25:56 PM The captcha now is fine. However I think users can delete other users orders still. Are you sure ? Can you please PM me an example ? Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: SalmanKhanChampion on July 14, 2015, 10:37:53 AM Hi,
I've reported some vulnerabilities through http://www.100bit.co.in/support.php. Kindly check them all. I actually don't know where to report so I've reported them via http://www.100bit.co.in/support.php Title: Re: [100bit.co.in] Earn up to 0.1 BTC for finding bugs Post by: 100bitcoin on July 14, 2015, 03:09:11 PM Hi, I've reported some vulnerabilities through http://www.100bit.co.in/support.php. Kindly check them all. I actually don't know where to report so I've reported them via http://www.100bit.co.in/support.php Thank you so much for your interest in betterment of the system. We have replied to all the tickets you have raised. |
