1Broker.com - Vulnerabilty & bug bounty

[marticps]

About UI, you should edit a bit the CSS. You should add ALT attribute in the images in order to help textual browsers, search engines... and improve accessibility (that's very important).

Also, you should avoid the use of presentation tags in HTML, since you should use the HTML only for semantics and CSS for presentation.

Here's two lists of design errors you have on your website:
http://validator.w3.org/check?uri=https%3A%2F%2F1broker.com%2F&charset=%28detect+automatically%29&doctype=Inline&group=0
http://try.powermapper.com/Reports/7a211e9d-1ed9-4b5b-8194-7da9afccb2ae/report/map.htm

For me, the most important ones are the following (some of them are repeated):

• Line 1045, Column 102: An img element must have an alt attribute, except under certain conditions. For details, consult guidance on providing text alternatives for images. In this case, the social networks buttons and the site seal, it is really important!
• Don't use generic link labels like "click here" or "read more" because they're hard to tell apart when users scan a page.
• The form has fields without a LABEL or TITLE attribute.
• The page has no H1 tag.
• Line 987, Column 8: The center element is obsolete. Use CSS instead. All presentation tags should be in CSS.
• Line 1135, Column 71: The value of the border attribute on the table element must be either 1 or the empty string. To regulate the thickness of table borders, Use CSS instead.

All these errors you have in the website design will make you have a lower Google rank and will difficult users to navigate through the site. (Most of the errors are about accessibility and SEO).
Hope I helped you. BTW, if you need help in web design, I can help you. To see some references check the website on my profile.

[exxe]

Also, you should avoid the use of presentation tags in HTML, since you should use the HTML only for semantics and CSS for presentation.

Yes, I'm aware that the website is far from perfect in this area. I will work on this a little bit, but there is simply not enough time to to make this how it should be (at least not in the near future).

[Dron007]

Will be fixed in the next update. Since this statistically only causes a small bug in every 4500^th registration I hope you are okay if I don't pay a reward for this. 

Ok. That's is really a minor problem. There is one more minor thing. One can use SQL LIKE template characters in the search field (% and _). It is more like a feature but as it is not documented somebody could think search is working not as expected, entering '100%' but receiving same as for '100'.

[starsoccer9]

found a problem relating to having a negative balance,

[exxe]

There is one more minor thing. One can use SQL LIKE template characters in the search field (% and _). It is more like a feature but as it is not documented somebody could think search is working not as expected, entering '100%' but receiving same as for '100'.

Yeah, I'll leave it as it is.

found a problem relating to having a negative balance,

This is working as intended. Leveraged positions which stay open overnight/over the weekend can be force-closed with negative values and can therefore lead to negative account balances. We can't/won't force people to give us the Bitcoins they owe us, but if they want to use 1Broker again they have to. (Double accounts violate the TOS)

[spudy12]

Activation email ends up in the spam folder, for hotmail and gmail anyway..

activation email link says invalid if opened from another tab, however if you go back to original tab you can sign in - just thought i'd point this out.

when you type in the amount to withdraw, it goes green whatever amount regardless of weather you have the funds or not.. not exactly a bug but could be confused by some people?


possibly a theme on twitter that better matches your websites? (website one is really cool by the way, looks very professional)


On the cfd's page (https://1broker.com/?c=cfds) next to gold you have this

Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts since long before the beginning of recorded history.

Doesn't quite read right for me, possibly something like this is better..

Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts since the beginning of recorded history.

OR

Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts long before the beginning of recorded history.

apart from that, looks and feels like a very professional site.

[BitCoins06]

Hi , i find 2 Xpath Injection

on https://1broker.com/?c=password_forgotten1
&
   https://1broker.com/?c=register

I will provide the parameter (the exploit) via PM for more info


My Wallet

16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK

[exxe]

Thanks for your input spudy12.

I've updated the mail functions so hopefully it works now. I also changed the description for the gold CFD.

Hi , i find 2 Xpath Injection

on https://1broker.com/?c=password_forgotten1
&
   https://1broker.com/?c=register

I will provide the parameter (the exploit) via PM for more info


My Wallet

16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK

I've not received a PM from you. In general I would be really surprised if you find a vulnerability in this area.
Even if you found a bug, it is necessary to report it privately, if you want a reward. (and publish no details before warning me (this should be obvious))

Don't get me wrong, but such posts can destroy our image of a secure trading platform. You should remove it.

best regards.

[Remember remember the 5th of November]

Thanks for your input spudy12.

I've updated the mail functions so hopefully it works now. I also changed the description for the gold CFD.

Hi , i find 2 Xpath Injection

on https://1broker.com/?c=password_forgotten1
&
   https://1broker.com/?c=register

I will provide the parameter (the exploit) via PM for more info


My Wallet

16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK

I've not received a PM from you. In general I would be really surprised if you find a vulnerability in this area.
Even if you found a bug, it is necessary to report it privately, if you want a reward. (and publish no details before warning me (this should be obvious))

Don't get me wrong, but such posts can destroy our image of a secure trading platform. You should remove it.

best regards.

Well if there's a bug, a security hole then obviously it's not really secure. But don't misinterpret my post. You shouldn't hide if you have security holes, but accept it and fix them .

[exxe]

Well if there's a bug, a security hole then obviously it's not really secure. But don't misinterpret my post. You shouldn't hide if you have security holes, but accept it and fix them .

I don't want to hide something, but what the user is saying is not true.
The thing is that we don't even use XML or XPath.

I suspect that he ran the Acunetix security scan and the software found these structures as a potential vulnerability (which are obviously false positives):
https://1broker.com/?c=password_forgotten1
https://1broker.com/?c=password_forgotten2

and

https://1broker.com/?c=register
https://1broker.com/?c=register2
https://1broker.com/?c=register3


Nothing to fix here.

best regards.

[Tekkna]

OP seems to know what he's doing, I doubt there are any bugs in it right now.

The only mistakes so far are small English grammar errors.

[exxe]

Activation email ends up in the spam folder, for hotmail and gmail anyway..

Found the problem: DNS SPF record only allows the IP address of 1broker.com to send mails, but 1broker.com does not resolve into an IPv6 address and postfix used IPv6 to send mails.

This was a tricky one.