Haben sie in Telegram etwa >>> soon geschrieben ?  Die ersten 500MCO+ Karten sind in Deutschland anscheinend schon auf "Issued". Das letzte Update via Twitter war, dass die Woche des Bitcoin Halvings (also nächste Woche) die "beste Schätzung" für den Release sei. Aber darauf ist ja bekanntermaßen kein Verlass Da aber schon einige Karten in Deutschland und der restlichen EU bereits Issued sind, kann es ja wirklich nicht mehr so lange dauern. |
|
|
|
~snip~
You have basically 2 statements in your OP: 1) [...] the open parameters on forum.stake.com is leaking the csrfKey [...]
2) [...] I found a cashout flaw [...]
And as i already have mentioned: Regarding 1), the token is not being "leaked". The client needs to know it. Regarding 2), your so-called "cashout flaw" does not allow you to really cashout. You are just able to manipulate visual things client-side. |
|
|
|
I dont have permission to inject scripts either, yet I was able to do so.
Then.. what you did was illegal. I don't know which country you are from. But the server is hosted by amazon in the US. And when pentesting a service hosted by amazon, you don't only need the permission from the owner of the website, but also from amazon. If you don't have both of them, you can be made liable for your actions. |
|
|
|
That's a different topic. Regardless of the other topic, what you have mentioned here is not a security vulnerability and is completely irrelevant. |
|
|
|
Description of subType of the issue:
X-XSS-Protection: 0
This behavior does not in itself constitute a vulnerability; in some cases XSS filters may themselves be leveraged to perform attacks against application users. However, in typical situations XSS filters do provide basic protection for application users against some XSS vulnerabilities in applications. The presence of this header should be reviewed to establish whether it affects the application's security posture.
Issue remediation
Review whether the application needs to disable XSS filters. In most cases you can gain the protection provided by XSS filters without the associated risks by using the following response header:
X-XSS-Protection: 1; mode=block
When this header is set, browsers that detect an XSS attack will simply render a blank page instead of attempting to sanitize the injected script. This behavior is considerably less likely to introduce new security issues.
The X-XSS-Protection header isn't really needed. It isn't even implemented in firefox. It can be quite helpful with old browsers, but is pretty much useless since such things should be handled with CSP. I can't verify this since a permission from the owner is required to test anything which is related to injecting scripts/commands. |
|
|
|
When you have no information about, if i did uploaded anything in the server why the hell are you speaking up?
Because your whole OP is nonsense and completely irrelevant. The title is misleading. You can not cashout anything. You even stated it in your OP: I was unsuccessful in withdrawing the amount
Manipulating parameters in a request without any outcome is not a vulnerability. Period. You showed us that the server does not accept those wrong parameters. So why do you claim that THIS is a security vulnerability ? |
|
|
|
I was able to upload a script on your server, wasn't I ??
You didn't upload anything on my server. I am not affiliated with stake.com in any way. I am not owning or administrating the server, neither have i used their website even once. It is strange, I gave you information regarding the manipulation but you seems to challenge me and deny.
You didn't manipulate anything. All you did was playing around with the free version of burp suite, changing a few parameters. The server obviously reacted properly. If there was a vulnerability, you would have been able to withdraw funds this way (which btw was possible with a vulnerable exchange in the past). But this was not the case here. Nothing happened. You were able to "trick" the locally running javascript with your own parameters... Nothing special. Does not uploading JS files in your system and bypassing XSS sanitizer shows a vulnerable system??
You didn't upload anything and neither did you bypass anything. All you did was changing a parameter in a POST request. You showed nothing regarding a server vulnerability. |
|
|
|
I just see bitcoin as a currency that people want it to make dollars from.
[...]
This is how I want bitcoin to be seen from the world. As a currency and not as an investment.
People usually make money from investments, not from currencies. 1 BTC = 1 BTC applies here. If seen from a currency point of view, why would you care about the dollar value of BTC ? Do you care how much your 1 USD is worth in CNY ? Currently 1 USD = 7.07 CNY. Wouldn't matter if it was 5 or 9 CNY. Same applies to Bitcoin. It is intended as a currency. So the Donator and VIP's paid 10 / 50 BTC, regardless of the (USD/EUR/CNY/...) exchange rate. |
|
|
|
The title of the thread is " Bitcoin offline wallet suggestion". The OP states "[...] I want to know about any bitcoin offline wallet [...]" And you link to a topic called "Best altcoin wallet" in the altcoin section including a list of all kinds of wallets for altcoins ? Posts like this are a prime example for the use of a demerit button.
@OP There are multiple kinds of offline storage options. It all depends on what exactly you want or need. They all differentiate in usability, cost, security and maintenance. The most relevant options are - Paper Wallets
- Hot-/Cold Storage Setups with 2 devices
- Hardware Wallets (kind of cold wallet; but not completely)
If you could describe your actual use-case a bit more closely, we would be able to give you better suggestions meeting your criteria. |
|
|
|
The first step is to generate the private keys and the public keys (addresses).
These are two public keys.
> 1NGJoYzwfMotjjBuZZ5H4BujcxGZMQDMoW (private key 1)
> 1L3pUofp8EYX7uXVFy2gNSBTanmdC8sRWe (private key 2)
In addition to what pooya87 said, an address is not the same as a public key. This all seems a little bit weird for me. This might be the case of a XY problem. What exactly do you want to achieve ? A 2 out of 2 multisig ? And why do you want to do it without any computer ? Don't you trust your software or hardware ? Do you distrust any random number generator, or what specifically ? |
|
|
|
It's just that spammers and general abuse fucked it up for the rest of us so that it has become unviable to run your own email server (ie. you can still run your own email server, but your emails will most likely end up in the spam folder).
Actually, that's not true. I am running my own mailserver and didn't have a single problem with my mails yet. None of them are marked as spam an all reach their destination without a problem. If you follow a few guidelines, like signing mails (DKIM), reverse DNS hostname being correct, SPF and DMARC, you are very well able to host your own mailserver without any mails being rejected or marked as spam. |
|
|
|
I had earlier sent the full report with code and explanation on how the open parameters on forum.stake.com is leaking the csrfKey.
Nothing is being leaked. The CSRF Token is nothing which has to be kept secret from the client. The Client always sees this token. The point of this token is, that some other website can't create that request on your behalf (because they would need this token for that). And with proper HTTP access control, they can't access this token. I found a cashout flaw which is bad for the reputation of stake sports betting system, though I was unsuccessful in withdrawing the amount
You were unsuccessful in withdrawing, because there is no vulnerability. All you did was manipulating the requests which resulted in visual representation of your manipulated requests (because it is being handled by JS). Because of the (proper) server verification, you weren't able to withdraw. Talked the support and showed him the vulnerability live but he says to post on forum.
This is not a relevant vulnerability. It just changes some visual representation client-sided. The server still does handle everything properly. Leave the cashout, what if someone place bets on your behalf using your csfr ?? : THE BET THAT YOU DONT want to place??
That's not possible, because of the CSRF token. Long story short: - Just changes visual representation client-side
- No Cashout/Withdraw possible
- Not a concerning Bug (just a visual one)
- Not a vulnerability
- Does not compromise the security in any way
|
|
|
|
technically it depends on the cryptocurrency that we are talking about. if it were centralized then it is very easily possible just like it is possible to block an a PayPal account. for example government coins such as Petro or centralized altcoins like XRP are in full control of their network. at any time they can block or even take any coins they want.
Sniffing a transaction (which implies a malicious 3rd party - not the owner of the network) is generally not possible. Even not with centralized coins like XRP. Generally, an owner of the network can always block transactions. That's the same with bitcoin. If (and that's a really big if) all Miner would collaborate, they can block single transactions. With BTC that's obviously way less probable than with a centralized coin like XRP, although theoretically still possible. |
|
|
|
And that's exactly what we have in practice, a very large number of old devices that are vulnerable to the point that they are hacked by kids who play with programs like BackTrack and hack WEP protection within minutes, or WPA2-PSK with WPS enabled within a few hours.
Actually i can't confirm that. Since i am working in the field of cyber security, i occasionally wardrive (basically scanning for wifi networks while walking/driving) out of curiosity. A very small percentage (roughly less than 1%) is using WEP. The amount of WPS enabled is slightly higher, but definitely below 5%. This might not be the case everywhere, but in my country that's what i could find out (not representative). Even with Kali (the successor of Backtrack), a linux distribution designed for penetration testing, there isn't much you can do with the majority of Wifi networks. However, i agree that with WPS enabled every somewhat techy kid could easily break into such a network. Checking the Settings for WPS and obviously also choosing a strong (non standard) password already adds quite some security. |
|
|
|
Der Brave Browser wird sowieso überbewertet  Es gibt schon mehr als genug Browser die auf Chromium basieren. Firefox und Adblocker / HTTPS Everywhere und evtl. NoScript tuts. |
|
|
|
Hey,weiss jemand wie man beim Brave Wallet die BAT auf den Nano transferieren kann?
Muss man sich dazu bei uphold verifizieren ?
Auf https://uphold.com/en/brave ist folgendes zu lesen: Verify your identity
In order to access your Brave balances, you will need to fully verify your identity on Uphold.
When starting the verification process, please have a valid government issued photo ID, and be ready to take a live selfie with your laptop or phone’s camera.
Scheint so als müsstest du das machen, ja. |
|
|
|
If this is not permission to discuss my ban, then what is it?
Appealing the ban in one single meta thread is fine. But suchmoon pointed out that you are also posing in the local board which might get you banned. Just take a look at the forum guidelines: [...]
25. Ban evasion (using or creating accounts while one of your accounts is banned) is not allowed.[e]
[...]
25. If you get banned (temporarily or permanently) and create a new account to continue posting / sending PMs, it's considered ban evasion. The only exception is creating a thread in Meta about your ban.
[...]
|
|
|
|
Almost same question but I'm using Lubuntu and it doesn't have the executable tick box. Any suggestions other than not using Lubuntu  ? Thx I don't know how the LXQt DE exactly looks like, but there should be a drop down menu for Access Control. You need to chose "View, Modify and Execute" for the Owner of that file. But you can always achieve that via the command line too: 1. Open the terminal (usually something like ALT+CTRL+T) 2. Navigate to the directory where the .AppImage file is located (using cd and the folder it is located in). 3. Add execution permission to that .AppImage by executing chmod 744 filename.AppImage (replace "filename" with the actual filename) |
|
|
|
I do this with the approval of the moderator AFAIK there is no kind of permission to evade a ban. If a moderator allows ban evasion, i really wonder how he even got to be a moderator. This seems sketchy. |
|
|
|
~snip~
Fixed it, thank you. I don't know what i was thinking while writing this. My point was that, considering an online computer as the environment, generating the private key / seed locally on your pc without any unnecessary software (e.g. downloaded website) is generally more secure. Using the functions included in your OS to generate a private key is less prone to be manipulated than using a website. Same applies to offline creation. |
|
|
|
|
Show Posts
