Can you hack my game?

[romsa9]

I've spent the last month developing a bitcoin tower defense game in html5/js/node.js..
Essentially you play 1v1 with some other player for a wager (or free).
It's currently running on the testnet bitcoins.. you can get some free testcoins from one of the faucets (link in /account page)

Right now everything appears to run smoothly, but I know there's probably something I have overseen.
If anyone has any interest in flexing their hacker muscles, please HACK MY GAME. I want to be convinced that the service is safe for use with real BTC. I don't have any prize money right now, but I'll be sure to reward you for any found exploits!

So far I've gotten some great feedback from bitcoin testers from /r/bitcoin regarding this project. I am pleased how many people were excited about it. It was quite unstable at that point, with xss issues, frequent crashes, etc. It's been quite battle-hardened now.

For those of you who have played it earlier, there have been a few updates:

- Games get saved to database and persist in case of server crash or update. Upon an update/reset, all active games get paused.
- Sessions persist so crashes are virtually unnoticeable.

# of games is unlimited right now, I'm trying to see how many games can be persisted at at time.

LINK: http://www.bitstrat.com

Any advice/feedback/questions welcome!

[K1773R]

setup SSL self-signed is perfect, just post the hashes here and optionally GPG sign it

[BombaUcigasa]

setup SSL self-signed is perfect, just post the hashes here and optionally GPG sign it

Or you could buy a 5$ SSL cert on namecheap with bitcoins

Or are you referring to a downloadable version?

[K1773R]

setup SSL self-signed is perfect, just post the hashes here and optionally GPG sign it

Or you could buy a 5$ SSL cert on namecheap with bitcoins

Or are you referring to a downloadable version?

i trust a self-signed more than a bought one, as self-signed only someone that hacks him can make fake certs, if you buy it, tonfs of organizations + ppls can create fake certs...

[smirno]

setup SSL self-signed is perfect, just post the hashes here and optionally GPG sign it

AHA nothing more secure than self-signed

[romsa9]

setup SSL self-signed is perfect, just post the hashes here and optionally GPG sign it

Or you could buy a 5$ SSL cert on namecheap with bitcoins

Or are you referring to a downloadable version?

i trust a self-signed more than a bought one, as self-signed only someone that hacks him can make fake certs, if you buy it, tonfs of organizations + ppls can create fake certs...

Doesn't that mean users will get a warning untrusted certificate when they visit the site?
Are cheap SSL's really risky?

[K1773R]

setup SSL self-signed is perfect, just post the hashes here and optionally GPG sign it

Or you could buy a 5$ SSL cert on namecheap with bitcoins

Or are you referring to a downloadable version?

i trust a self-signed more than a bought one, as self-signed only someone that hacks him can make fake certs, if you buy it, tonfs of organizations + ppls can create fake certs...

Doesn't that mean users will get a warning untrusted certificate when they visit the site?
Are cheap SSL's really risky?

yes they will get a warning. no matter how much you pay for your SSL cert, its still vulnerable.
the SSL system is pretty broken @ the trust part. currently SSL is mostly a scam to make tons of $$$ while serving a broken system.
in case your interested, check this out: https://www.youtube.com/watch?v=Z7Wl2FW2TcA

[ZirconiumX]

I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out

[K1773R]

I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out

DoS (not DOS) != hacking, skiddys...

[romsa9]

I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out

DoS (not DOS) != hacking, skiddys...

DoS flood attacks are pretty much unavoidable.. The DoS protection that exists on there now is that game states are auto-saved, and so if server goes down, nothing is lost. Games get paused at the precise state they were at.

By hacking I mean, well, try to find an exploit where you somehow get free coins, or transactions don't occur properly, xss, or somehow break the server, gain access to people's accounts, etc.

[romsa9]

I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out

Yes white hack away

[ZirconiumX]

Straight away I have found a bug in the register field. It seems to want a captcha solving, which is in fact not there.

I'm using Chromium 28 on Ubuntu Linux.

Matthew:out

[ZirconiumX]

I've just ran w3af on your URL.

[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.serverHeader
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.allowedMethods
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.frontpage_version
[Sun 11 Aug 2013 09:40:00 BST] The page language is: en
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:02 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:03 BST] "X-Powered-By" header for this HTTP server is: "Express". This information was found in the request with id 35.
[Sun 11 Aug 2013 09:40:03 BST] Found 1 URLs and 1 different points of injection.
[Sun 11 Aug 2013 09:40:03 BST] The list of URLs is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:03 BST] The list of fuzzable requests is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com | Method: GET
[Sun 11 Aug 2013 09:40:03 BST] The web application sent a persistent cookie.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 31.
[Sun 11 Aug 2013 09:40:05 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:12 BST] Password profiling TOP 100:
[Sun 11 Aug 2013 09:40:12 BST] - [1] BitStrat with 147 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [2] Game with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [3] document with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [4] function with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [5] facebook with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [6] BITSTRAT with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [7] Service with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [8] Bitcoin with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [9] Strategy with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [10] toggle with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [11] connect with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [12] createElement with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [13] collapse with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [14] onload with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [15] Terms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [16] jssdk with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [17] script with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [18] currently with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [19] getElementById with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [20] xfbml with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [21] test with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [22] gamble with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [23] return with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [24] insertBefore with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [25] getElementsByTagName with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [26] Collective with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [27] Register with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [28] beta with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [29] Contact with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [30] appId with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [31] phase with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [32] using with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [33] navbar with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [34] bitcoins with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [35] parentNode with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [36] testnet with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [37] Rooms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [38] Compete with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] The whole target has no protection (X-Frame-Options header) against ClickJacking attack
[Sun 11 Aug 2013 09:40:12 BST] The cookie: "connect.sid=s%3Amb-3-WU9cVSUZVROGdw2TXbR.VGE8WR4XstVwdYu7Y04ws8GRQXIr4XnLtRiTGhaKghffuI3GGmUz4lkwLG3v6KvKUEPoH%2FeKQ2HgMp%2BeRYdS2A; Path=/; Expires=Mon, 12 Aug 2013 08:39:52 GMT" was sent by these URLs:
[Sun 11 Aug 2013 09:40:12 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 31.
[Sun 11 Aug 2013 09:40:12 BST] Scan finished in 20 seconds.

Hopefully this helps somewhat.

Matthew:out

[K1773R]

haha, i knew its a skiddy

[🏰 TradeFortress 🏰]

Do you use socket.io? If yes, I'm probably able to crash your server.

[ZirconiumX]

haha, i knew its a skiddy

Sorry, but I don't come under the classification of "Script kiddy". I built my own computer when I was 13. I do actually have quite a bit of experience in C family coding, I'm just very lazy. People make these tools for a reason, and who am I to insult the coders?

I've always been convinced that laziness is the beginning of intelligence

Matthew:out

[K1773R]

haha, i knew its a skiddy

Sorry, but I don't come under the classification of "Script kiddy". I built my own computer when I was 13. I do actually have quite a bit of experience in C family coding, I'm just very lazy. People make these tools for a reason, and who am I to insult the coders?

I've always been convinced that laziness is the beginning of intelligence

Matthew:out

in this case il take it back, excuse me

[Kiwi7]

Tried to register, "invalid captcha" :O
Where is the captcha?

[akabmikua]

Tried to register, "invalid captcha" :O
Where is the captcha?

Same here.

[romsa9]

I've just ran w3af on your URL.

[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.serverHeader
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.allowedMethods
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.frontpage_version
[Sun 11 Aug 2013 09:40:00 BST] The page language is: en
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:02 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:03 BST] "X-Powered-By" header for this HTTP server is: "Express". This information was found in the request with id 35.
[Sun 11 Aug 2013 09:40:03 BST] Found 1 URLs and 1 different points of injection.
[Sun 11 Aug 2013 09:40:03 BST] The list of URLs is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:03 BST] The list of fuzzable requests is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com | Method: GET
[Sun 11 Aug 2013 09:40:03 BST] The web application sent a persistent cookie.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 31.
[Sun 11 Aug 2013 09:40:05 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:12 BST] Password profiling TOP 100:
[Sun 11 Aug 2013 09:40:12 BST] - [1] BitStrat with 147 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [2] Game with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [3] document with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [4] function with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [5] facebook with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [6] BITSTRAT with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [7] Service with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [8] Bitcoin with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [9] Strategy with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [10] toggle with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [11] connect with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [12] createElement with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [13] collapse with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [14] onload with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [15] Terms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [16] jssdk with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [17] script with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [18] currently with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [19] getElementById with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [20] xfbml with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [21] test with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [22] gamble with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [23] return with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [24] insertBefore with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [25] getElementsByTagName with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [26] Collective with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [27] Register with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [28] beta with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [29] Contact with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [30] appId with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [31] phase with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [32] using with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [33] navbar with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [34] bitcoins with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [35] parentNode with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [36] testnet with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [37] Rooms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [38] Compete with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] The whole target has no protection (X-Frame-Options header) against ClickJacking attack
[Sun 11 Aug 2013 09:40:12 BST] The cookie: "connect.sid=s%3Amb-3-WU9cVSUZVROGdw2TXbR.VGE8WR4XstVwdYu7Y04ws8GRQXIr4XnLtRiTGhaKghffuI3GGmUz4lkwLG3v6KvKUEPoH%2FeKQ2HgMp%2BeRYdS2A; Path=/; Expires=Mon, 12 Aug 2013 08:39:52 GMT" was sent by these URLs:
[Sun 11 Aug 2013 09:40:12 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 31.
[Sun 11 Aug 2013 09:40:12 BST] Scan finished in 20 seconds.

Hopefully this helps somewhat.

Matthew:out

There are no credit card numbers to expose.. Not a single credit card number is used anywhere.. What are you doing?