[100bit.co.in] Earn up to 0.1 BTC for finding bugs

[100bitcoin]

Hello, from 100bit.co.in. This is a new platform allowing buyers and sellers to directly exchange FIAT and Alt coins with each other against bitcoin. It is free to join the platform and exchange cost per trade is 0.1% of the trade amount. We announced start of our work in March 22, 2014 and now our BETA platform is ready. At this moment we are looking for some public testing to find some bugs that we might have missed. Please note that, merely mentioning a few bug wont earn you any bounty. You need to explain with example in PM and payment will be disbursed only after bugs are fixed.

Some people have already received payment for finding bugs: https://bitcointalk.org/index.php?topic=1012209.msg11041920#msg11041920

Please follow this link & register => www.100bit.co.in/register.php



Please note that, right now, we are in early BETA. Also https is not yet implemented. So, it is recommended NOT to trade big volume for now.  If your country/currency is not in the list on registration page, please inform us here. Your feedback for any improvement is highly appreciated.

[seoincorporation]

Hello, from 100bit.co.in. This is a new platform allowing buyers and sellers to directly exchange FIAT and Alt coins with each other against bitcoin. It is free to join the platform and exchange cost per trade is 0.1% of the trade amount. We announced start of our work in March 22, 2014 and now our BETA platform is ready. At this moment we are looking for some public testing to find some bugs that we might have missed.

Please follow this link & register => www.100bit.co.in/register.php



Please note that, right now, we are in early BETA. Also https is not yet implemented. So, it is recommended NOT to trade big volume for now.  If your country/currency is not in the list on registration page, please inform us here. Your feedback for any improvement is highly appreciated.

I'm testing the site now, if i found something i will let you know.

[vishwaratna]

congracts for your site..
any joining bonus??

[Astargath]

This is not a bug but it is incredibly annoying to register and login, why dont you just let people chose their username instead of sending an email to confirm registration and then another email with your id wich is only numbers ?

[100bitcoin]

I'm testing the site now, if i found something i will let you know.

Thanks. The more people join, the better the testing will be. One needs to pick up order placed by another.

congracts for your site..
any joining bonus??

Sorry... no joining bonus as such.

This is not a bug but it is incredibly annoying to register and login, why dont you just let people chose their username instead of sending an email to confirm registration and then another email with your id wich is only numbers ?

Sorry about the annoyance. It was in fact done on purpose not to create user id for those who puts in wrong email id for spamming. But, thank you for pointing it out. Feel free to point out anything else that might appear to be annoying to you. If we can change that, we will definitely do.

[seoincorporation]

Ok, i finish the test and here is the report.

First of all, congrats for your site. Have a great looking.

I just create a account, got 1 mail for the verification, and after that got another mail with the user to login, The register and login system work great.

I take a look to the different pages on your site and only found one problem:

You don't have catcha in the ticket "Create a New Support Ticket":

http://i57.tinypic.com/2j2eovl.png

If i use the next code, i can auto post a ticket;

Code:

VERSION BUILD=8920312 RECORDER=FX
TAB T=1
URL GOTO=http://www.100bit.co.in/support.php
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:frmsearch ATTR=NAME:adtitle CONTENT=test01
TAG POS=1 TYPE=TEXTAREA FORM=NAME:frmsearch ATTR=NAME:ticket_desc CONTENT=test0011
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:frmsearch ATTR=NAME:ticket

And that mean i can send you 1000 tickets if i want with a script. And was thinking in do it, but better report it here 

At the same time, i test your site with nikto to find some vulns, but you dont have any vuln. there.

Code:

[usr@localhost ~]$ nikto -h www.100bit.co.in
- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          104.28.28.49
+ Target Hostname:    www.100bit.co.in
+ Target Port:        80
+ Start Time:         2015-04-04 10:22:52 (GMT-6)
---------------------------------------------------------------------------
+ Server: cloudflare-nginx
+ Cookie __cfduid created without the httponly flag
+ Uncommon header 'cf-ray' found, with contents: 1d1e5ac1ed8d1431-LAX
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from 'cloudflare-nginx' to '-nginx' which may suggest a WAF, load balancer or proxy is in place
+ 4197 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2015-04-04 10:28:24 (GMT-6) (332 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[usr@localhost ~]$ 

Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch.

[MagicSnow]

Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch.

mmh no the website is vulnerable to XSS and SQL injection

[seoincorporation]

Ok, i finish the test and here is the report.

First of all, congrats for your site. Have a great looking.

I just create a account, got 1 mail for the verification, and after that got another mail with the user to login, The register and login system work great.

I take a look to the different pages on your site and only found one problem:

You don't have catcha in the ticket "Create a New Support Ticket":

http://i57.tinypic.com/2j2eovl.png

If i use the next code, i can auto post a ticket;

Code:

VERSION BUILD=8920312 RECORDER=FX
TAB T=1
URL GOTO=http://www.100bit.co.in/support.php
TAG POS=1 TYPE=INPUT:TEXT FORM=NAME:frmsearch ATTR=NAME:adtitle CONTENT=test01
TAG POS=1 TYPE=TEXTAREA FORM=NAME:frmsearch ATTR=NAME:ticket_desc CONTENT=test0011
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:frmsearch ATTR=NAME:ticket

And that mean i can send you 1000 tickets if i want with a script. And was thinking in do it, but better report it here  

At the same time, i test your site with nikto to find some vulns, but you dont have any vuln. there.

Code:

[usr@localhost ~]$ nikto -h www.100bit.co.in
- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          104.28.28.49
+ Target Hostname:    www.100bit.co.in
+ Target Port:        80
+ Start Time:         2015-04-04 10:22:52 (GMT-6)
---------------------------------------------------------------------------
+ Server: cloudflare-nginx
+ Cookie __cfduid created without the httponly flag
+ Uncommon header 'cf-ray' found, with contents: 1d1e5ac1ed8d1431-LAX
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from 'cloudflare-nginx' to '-nginx' which may suggest a WAF, load balancer or proxy is in place
+ 4197 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2015-04-04 10:28:24 (GMT-6) (332 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[usr@localhost ~]$ 

Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch.

Only include a captcha on that "Create a New Support Ticket" section, and your site will be ready for the launch.

mmh no the website is vulnerable to XSS and SQL injection

I found another big problem.

Users can inject code in http://www.100bit.co.in/settings.php > About me.


http://i59.tinypic.com/2rxcxet.png

[100bitcoin]

Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.

[MagicSnow]

Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.

Thank you, btw the message from "seoincorporation" was sent after my PMs (listing more vulnerability and in details)

[geforcelover]

your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it.

[Astargath]

Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works

[seoincorporation]

Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.

I send you my addy in a PM. The problem i found:

1.-No captcha in the "Create a New Support Ticket"
2.-Can inject code on "http://www.100bit.co.in/settings.php > About me"

I make some test and dont find a vuln for xss

Code:

[usr@localhost ~]$ nmap -p80 --script http-stored-xss www.100bit.co.in

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-04 11:18 CST
Nmap scan report for www.100bit.co.in (104.28.29.49)
Host is up (0.071s latency).
Other addresses for www.100bit.co.in (not scanned): 104.28.28.49
PORT   STATE SERVICE
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

And about SQL injection im not sure.

[seoincorporation]

Find another one.

I can inject code in: http://www.100bit.co.in/order.php > Preferred payment mode (optional):



http://i62.tinypic.com/vq5jlf.png



http://i59.tinypic.com/wmf983.png

Make a test with <a href="http://cash.com">Cash</a>, and in the second try i test with <img src="...">.

***UPDATE***

I can inject code in the Ticket support too...

[franckuestein]

Hi devs and congrats for the site!
I was trying the most common things that a "normal" user would do with your site and I've found some interesting details.


This is not a bug, but first of all, take a look to the "Lost you password" page. There's a mistake because it's Forgot Password and not Forgot Passowrd (in the header and in the button).

Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form

Another thing:
If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning:

"The email address is already registered with us"

This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in.

As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account.

And the last thing  
I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.

Hope to help you!  
Good luck 100bit team!

[Astargath]

In the country selection option why are there so little countries to chose from? And why it says europe as a country

[100bitcoin]

I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.

Hope to help you!  
Good luck 100bit team!

Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP.

Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?

[Roberson]

ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw

[seoincorporation]

I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.

Hope to help you!  
Good luck 100bit team!

Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP.

Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?

http://i62.tinypic.com/vq5jlf.png

i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection.

[sbankerdemon]

I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???