Bitcoin Forum

Bitcoin => Project Development => Topic started by: hyde on March 17, 2014, 06:11:30 AM



Title: [Alpha Test] GlobalFreeMarkets.com
Post by: hyde on March 17, 2014, 06:11:30 AM
Hello,
  I'm Steve, a developer and I've been working on a market site http://GlobalFreeMarkets.com (http://GlobalFreeMarkets.com) for the last year or so.
  It appears to be at a stable point to where I can get some help/feedback.
 If you're  interested I created a simple bug report page here http://globalfreemarkets.com/api/bugs/add/ (http://globalfreemarkets.com/api/bugs/add/)
  As a thank you for helping uncover bugs I added a field in the bug report for your
  PUBLIC bitcoin address. Approved submissions will be sent bitcoins based on a percentage of the sales from this site, how critical the bug
  is and the number of other reports in the list. Duplicate reports will not be included in the payout, security issues will receive the highest
  priority and will include a bonus payout. 
 
  For the first phase of testing I will be focused on fixing bugs in these areas.
 
Phase:1.A Input Security*.
 I. Test all inputs for security vulnerabilities.

*There will be a bonus percentage applied to reports dealing with security issues.

Phase:1 CRUD Operations
  I. Create
      A. Check Rules
          1. Free Posts
              a. Maximum two free posts per 24 hours.
              b. Maximum twelve hours expiration time.
          2. Ticket Post
              a. Maximum  720 hours (30 days) expiration time.
      B. Email member.
          1. Contains link to edit the trade.
      C. What processes can be refined?
  II. Read
      A. Are the posts being displayed accurately?
      B. What views can be refined or changed?
  III. Update
      A. Does the post update correctly.
          1. According to rules (see above)?
  III. Delete
               

 Feel free to test the shopping cart system. Do NOT send any bitcoins as directed in
 the instructions. I will approve the purchases which will let you to try the trade
 ticket system. The trade ticket system allows you to extend the post length and quantity.
 
 I will do my best to keep you informed, but please be patient. I have a full time job plus
 kids in sports... so I'm pretty busy.
 
 Thanks,
 Steve


Title: Re: [Alpha Test] GlobalFreeMarkets.com
Post by: gogodr on March 17, 2014, 06:45:53 AM
http://globalfreemarkets.com/api/bugs/
your server does have the serving directory functionality which is immensely dangerous. (makes web crawling really easy)

your 404 redirection is broken in some specific addresses:
http://globalfreemarkets.com/api/
goes to http://globalfreemarkets.com.com/

your wp-admin file is not hidden and it is open for bruteforce attacks or wp vulnerabilities exploitment
http://globalfreemarkets.com/wp-admin

just a couple of minutes of pentesting and I came up with all that.
I'll place it in your bug report interface too.

edit:
the save button in your interface doesnt work. but pressing enter in the BTC address text box sends the GET.
at http://globalfreemarkets.com/api/bugs/add


Title: Re: [Alpha Test] GlobalFreeMarkets.com
Post by: hyde on March 17, 2014, 02:14:41 PM
Cool thank you! I will check the database to see if your
bug reports were added. If not I will add them for you.




OK, they were added.  I separated them into their own records so you will get credit for
each one e.g. if there is 100 reports, you would have received credit for 1/100 of the bug reports.
Since there are now four, you will get 4/100. I know it's a redundant process.. I'll look into
a more efficient way to add multiple reports in one post.

Thanks again.