 Show Posts
|
|
Pages: [1]
|
I myself wouldn't trust referer headers as they could be fabricated.
While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer. You are right. Referer check seems to be good enough to protect against CSRF. However there's ways to get in control of someone's browser and then spoof the headers(is XSS + CSRF possible?). Also what about HTTPS or if someone's browser doesn't send the referer headers (guess 99% do but still)? That would be considered as an attack. BTW Do you guys support p2sh for litecoin yet? If you control someone's browser, why bother with CSRF? You can just attack directly  . HTTPS isn't a problem, referrer will be correct on the site itself and possibly not set/empty when coming from other sites (then one just assumes it's invalid). If someone's browser doesn't send headers, too bad. It's not perfect solution, it's just easiest. You should generate a token, save it in session, add it as hidden input in form and compare it on request. But that require more changes, while referrer check will be sufficient for most. Still no P2SH for Litecoin yet. No ETA either. Touche I tried to come up with something but shot myself in the leg instead. |
|
|
|
I myself wouldn't trust referer headers as they could be fabricated.
While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer. You are right. Referer check seems to be good enough to protect against CSRF. However there's ways to get in control of someone's browser and then spoof the headers(is XSS + CSRF possible?). Also what about HTTPS or if someone's browser doesn't send the referer headers (guess 99% do but still)? That would be considered as an attack. BTW Do you guys support p2sh for litecoin yet? |
|
|
|
Either way, it seems pretty easy to implement. Just checking against the referrer and returning to the homepage if it was found to be elsewhere should be sufficient. Something like this maybe: if($_SERVER['HTTP_REFERER'] != 'http://yoursitewhatever.com'){
header('Location: /');
}
Once the form has submitted (~line 1138 on index.php). I'm not that good with PHP, but I think that won't end the script. So it will send the coins either way and only redirect to main page after that. header('Location: /'); die(); should work though. As soon as that header hits, the page forwards, so there's no need for closing out the PHP connection -- it's done by default. Even if you have other code after that, it will stop parsing at that line. I myself wouldn't trust referer headers as they could be fabricated. Even with your code changes (such as escaping strings), there are many vulnerabilities still open. I'm actually somewhat surprised something as important as dealing with people's finances (in the sense that the script has access to the wallet's funds) is even using SQLi, much less in a very unsecure method. real_escape_string only prevents a small portion of injections from being possible, and if you really want to use that route, you should fix all of them.
As I said, the best way to do it without completely changing the DB software would be to use prepared statements, though that would still leave the script open to some forms of injection. What would you suggest to fix it? I think PDO would do just fine. That plus validating the input (which in this case is only a wallet address) with base58 encoding/decoding (if anyones interested I can provide a simple script). Anyway, you're doing a great job guys! Keep it up. |
|
|
|
I like your site. Nice design and very innovative, thank you for the free coins. Good luck with your project!
You're welcome! Thanks for the good words, I'll keep it up! |
|
|
|
It looks like they have problems with the email server, so that's why the site stays in lock down.
Right... and what does that have to do with anything? You can't withdraw without email server. I think everything will be ok. I have 15m Khs and am confident it will sort its self out. Really? Please explain why? Seriously guys, you need to wake up. If scrypt.cc had any legitimacy then admin would have at least posted a message explaining why things have not gone as previously announced. Instead, many users that have stated the site is a scam in the TB have been silenced or even had their account deleted, who did that I wonder? surely not admin? /sarcasm  Can you not see that this is just part of cooling the marks down?  Take a deep breath and move on. I guess ppl would believe in just about anything. Everybody needs reason even a crappy one. |
|
|
|
It looks like they have problems with the email server, so that's why the site stays in lock down.
Right... and what does that have to do with anything? |
|
|
|
It is legal man. Legal..  Fairly sure it isn't As seen in stock exchange markets. You sell it cheap and some one takes your money that you bought some time ago at high  Deposits will not work some time. Because admin ; he/she wants to be the ONLY buyer at Khs market.. He wants to buy his/her Khs back.  So not ponzi? MARCELO pays you for pretend hashs I am confsued He/she sold you Khs prices @900 right ? Now he/se will buys them back at may be @100 right ? No buy wall because no deposit. Admin is the only big buyer. So it is not ponzi, it is a well planned stock market tactic. It is used by cavemans also; to kill mammoths, panic them and kill them with mass, drop from high. If only people could realise that and stop selling. But then again how would they get their invested money back? Guess there's no win for the users then? or is it? |
|
|
|
|
Hi, sorry there was a mistake in the url (I screwed the bbcode). Please check if it's working now.
|
|
|
|
|
block.io - supports multiple currencies, nice api, reasonable security level.
|
|
|
|
Hi, I've been developing a faucet script that supports multiple currencies to keep everything in one place. So far bitcoin, litecoin and dogecoin are supported. www.bitowl.info - Free cryptoHere's some features, my website has: - 25% comission for inviting friends - instant payouts to faucetbox - multiplier events (up 100% on top of the regular payouts) - market data from Bleutrade, Cex.io and Btc-e with simple calculator - list of promotional bonus offers I'm working on xapo and coinbase payout option at the moment, so users could receive their claims straight to their ewallets instead of waiting for reaching the minimum payout treshold at faucetbox. Also considering adding dashcoin support soon (I wonder how people feel about using a dashcoin faucet - I haven't seen that many of them around). Small, slick and simple website. www.bitowl.info - Free cryptoPlease share your thoughts on www.bitowl.info as this would help me a lot in further developments. Thanks! |
|
|
|
Radzę zerknąć na coś takiego co nazywa się REDDCOIN RDD twórca obrał naprawdę ciekawy kierunek od jakiś 7 miesięcy do chwili obecnej pracuje nad multiplatformą do wymiany napiwkami która ma połączyć Facebook TWitera youtube i wiele innych portali jak blogi fora itp. Parę dni temu zaprezentował film pokazujący naprawdę dobry portfel dla przeglądarki służący do wysyłania napiwków, Poczytajcie o SocialX. Btw. handlując rdd trzeba być naprawdę ostrożnym (moneta z reguły prze up cały czas tylko kilka osób nie pozwala wystrzelić jej up blokując pokaźnymi ścianami) mnie to pasuje bo odkupuje zawsze rdd od "spanikowanych krótkich" inwestorów  Zakup w przedziale od 10-15 to naprawdę dobra cena, ludzie stawiają ścianki licząc na odkup taniej ale tak jak ostatnio, jeżeli będzie strzał ściany mniejsze niż 80 btc polecą jak zapałki w drobny mak. Czy znasz może jakiś kantor, gdzie można sprzedać/kupić RDD? Póki co z monetą miałem styczność tylko na bleutrade. Apropos monet tworzonych w idei 'rozdawania' - na myśl nasuwa mi się DOGE. Jak dla mnie drugi po litecoinie najpopularniejszy alt. |
|
|
|
Witam serdecznie. Ciekawi mnie ilu z obecnych tutaj osób korzysta na bieżąco z portfeli online. Kto z państwa może się podzielić doświadczeniami w obsłudze takich portfeli ? Chodzi o takie jak blockchain.info? Miałem na myśli coś w stylu bitalo.com lub xapo.com. Zamiast instalować oprogramowanie portfela na komputerze można wykonywać wszystkie operacje ze strony internetowej. Słyszałem, że transakcje na takich portfelach są darmowe. |
|
|
|
Witam serdecznie. Ciekawi mnie ilu z obecnych tutaj osób korzysta na bieżąco z portfeli online. Kto z państwa może się podzielić doświadczeniami w obsłudze takich portfeli ? |
|
|
|
|
