Bitcoin Forum
December 13, 2024, 10:27:41 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: EmpireCoin: Bug bounty program  (Read 1542 times)
joey.rich (OP)
Member
**
Offline Offline

Activity: 124
Merit: 16


View Profile WWW
August 10, 2016, 09:36:30 AM
Last edit: August 16, 2016, 08:16:29 AM by joey.rich
 #1



EmpireCoin: Bug Bounty Program

EmpireCoin is an open source gaming & blockchain prediction market platform.  For more information about this project, check the following threads:
EmpireCoin pre-announcement
Mock Election 2016
Free game: Red vs Blue

To guarantee the security of this platform, we are offering the following bug bounties:

0.5 BTC - Remove bitcoins from an EmpireCoin.org escrow account.
0.1 - 1 BTC - Demonstrate a vulnerability in the empirecoin-web source code

In order to receive the bounty, you must describe your exploit so that it can be fixed.

EmpireCoin uses the bitcoin-sci library to generate Bitcoin escrow addresses.  Details on escrowed funds are available on pages like this:
http://empirecoin.org/mock-election-2016/?action=show_escrow

The EmpireCoin source code is available here:
http://github.com/TeamEmpireCoin/empirecoin-web
KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
August 10, 2016, 07:24:32 PM
 #2

Asking for 1BTC for this potential SQL injection input :

Send the btc to 1KingZeeW97uLvngcUA3R6QJx18Fn78ddb, or let's use an escrow (My preference : Blazed) so I can send you the link, and the injection syntax and entry point.

Beep boop beep boop
joey.rich (OP)
Member
**
Offline Offline

Activity: 124
Merit: 16


View Profile WWW
August 10, 2016, 08:08:42 PM
 #3

Hi KingZee,

I had a problem where my VPS disk was full around the time you posted this, so I suspect that's what could have caused this error message.  If it really is a SQL injection and you can demo how to replicate, I can send you 0.2 BTC.
KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
August 10, 2016, 08:36:52 PM
 #4

Hi KingZee,

I had a problem where my VPS disk was full around the time you posted this, so I suspect that's what could have caused this error message.  If it really is a SQL injection and you can demo how to replicate, I can send you 0.2 BTC.

The error wasn't fixed, it's still up, it has nothing to do with your server's disk, it's in the webapp.

This error compromises your whole database, I'm not obliged to give you the injection link, you can spend time and funds to find it yourself, or send me 1 BTC.

Beep boop beep boop
BilalHIMITE
Full Member
***
Offline Offline

Activity: 159
Merit: 100


View Profile
August 10, 2016, 08:55:26 PM
 #5

Detected SQL Injection Vulnerability : http://imgur.com/a/jBcfS
Trying to get further in.
KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
August 10, 2016, 09:01:36 PM
 #6

Detected SQL Injection Vulnerability : http://imgur.com/a/jBcfS
Trying to get further in.

Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection.

Beep boop beep boop
BilalHIMITE
Full Member
***
Offline Offline

Activity: 159
Merit: 100


View Profile
August 10, 2016, 09:13:52 PM
 #7

Detected SQL Injection Vulnerability : http://imgur.com/a/jBcfS
Trying to get further in.

Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection.

Yes, he doesn't understand that.

I can send commands to the SQL, but I can't get data back.
joey.rich (OP)
Member
**
Offline Offline

Activity: 124
Merit: 16


View Profile WWW
August 11, 2016, 08:22:28 AM
Last edit: August 11, 2016, 03:41:51 PM by joey.rich
 #8

Detected SQL Injection Vulnerability : http://imgur.com/a/jBcfS
Trying to get further in.

Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection.

Yes, he doesn't understand that.

I can send commands to the SQL, but I can't get data back.

I've been writing web applications for a long time and certainly understand SQL injections.

However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE).  I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07c

BilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty.
KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
August 11, 2016, 08:49:04 AM
 #9


I've been writing web applications for a long time and certainly understand the risk of SQL injections aka the simplest exploit out there.

However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE).  I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07c

BilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty.

Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure.

Beep boop beep boop
Joel_Jantsen
Legendary
*
Offline Offline

Activity: 2072
Merit: 1353


Top-tier crypto casino and sportsbook


View Profile
August 11, 2016, 09:51:20 AM
Last edit: August 11, 2016, 10:29:59 AM by Joel_Jantsen
 #10

Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure.
How about I fix that error for you @OP ? I can give you a solution  to reject all the external access with the most "easiest" query out there ,like the one mentioned by KInzee.My pen testing tools are on the work!I should report you if I come across any more vulnerabilities!

EDIT : Does ddos attacks counts ?

Zoomer
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500



View Profile
August 11, 2016, 10:07:10 AM
 #11

Would it not be a lot cheaper and maybe more safe if you try to hire a professional service for this?

I could be wrong but i think it's really the best and even quicker option since they also offer to fix the issues!

Because what if someone really find a big hole and he will keep it and not tell you, and then use it once there is a lot cash to steal?
BilalHIMITE
Full Member
***
Offline Offline

Activity: 159
Merit: 100


View Profile
August 11, 2016, 02:14:33 PM
 #12

Detected SQL Injection Vulnerability : http://imgur.com/a/jBcfS
Trying to get further in.

Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection.

Yes, he doesn't understand that.

I can send commands to the SQL, but I can't get data back.

I've been writing web applications for a long time and certainly understand the risk of SQL injections aka the simplest exploit out there.

However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE).  I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07c

BilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty.


15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG

Sended a PM also.
joey.rich (OP)
Member
**
Offline Offline

Activity: 124
Merit: 16


View Profile WWW
August 11, 2016, 03:55:12 PM
 #13

Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure.
How about I fix that error for you @OP ? I can give you a solution  to reject all the external access with the most "easiest" query out there ,like the one mentioned by KInzee.My pen testing tools are on the work!I should report you if I come across any more vulnerabilities!

EDIT : Does ddos attacks counts ?

Thanks for the suggestion, I will implement salt & server side hashing soon.

You are welcome to submit a PR if you'd like but I'm not willing to put a bounty for that change.

DDOS is not eligible as it is not a vulnerability within the empirecoin-web source code.
joey.rich (OP)
Member
**
Offline Offline

Activity: 124
Merit: 16


View Profile WWW
August 11, 2016, 03:57:49 PM
 #14

15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG

Sended a PM also.

I have sent the 0.1 BTC, nice job finding this.
BilalHIMITE
Full Member
***
Offline Offline

Activity: 159
Merit: 100


View Profile
August 11, 2016, 04:20:25 PM
 #15

15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG

Sended a PM also.

I have sent the 0.1 BTC, nice job finding this.

Thanks joey.rich.
Looking for more vulnerabilities.
BilalHIMITE
Full Member
***
Offline Offline

Activity: 159
Merit: 100


View Profile
August 11, 2016, 04:32:24 PM
 #16

...I will implement salt & server side hashing soon. ...

I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing.
Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark).
Patatas
Legendary
*
Offline Offline

Activity: 1750
Merit: 1115

Providing AI/ChatGpt Services - PM!


View Profile
August 11, 2016, 04:51:08 PM
 #17

...I will implement salt & server side hashing soon. ...

I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing.
Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark).
Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site!
joey.rich (OP)
Member
**
Offline Offline

Activity: 124
Merit: 16


View Profile WWW
August 11, 2016, 05:08:30 PM
 #18

...I will implement salt & server side hashing soon. ...

I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing.
Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark).

I will still keep the client side hashing but then hash & salt on server side.

Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site!

As we saw in the Heartbleed bug, encrypting with HTTPS is not necessarily secure; better to hash passwords on the client side first.

My webhost does provide some DDOS protection, I'm not sure how much though.  To handle DOS, this will soon be a P2P web app with many nodes.
BilalHIMITE
Full Member
***
Offline Offline

Activity: 159
Merit: 100


View Profile
August 11, 2016, 05:26:52 PM
 #19

...I will implement salt & server side hashing soon. ...

I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing.
Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark).

I will still keep the client side hashing but then hash & salt on server side.

Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site!

As we saw in the Heartbleed bug, encrypting with HTTPS is not necessarily secure; better to hash passwords on the client side first.

My webhost does provide some DDOS protection, I'm not sure how much though.  To handle DOS, this will soon be a P2P web app with many nodes.

You can use Cloudflare for DDOS protection, SSL (HTTPS), and Powerful stats about your visitors. Starting from $0.
KingZee
Sr. Member
****
Offline Offline

Activity: 952
Merit: 452


Check your coin privilege


View Profile
August 11, 2016, 06:36:32 PM
 #20

I guess you really don't care about the SQL injection vector that's still up. Or you think I'm joking. Suit yourself.

Beep boop beep boop
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!