Bitcoin Forum
December 03, 2016, 11:48:56 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Poll
Question: From the looks of things so far would you trust purchasing from Cheaper In Bitcoins?
Yes more then likely
Yes, sure I'll try it out
Yes, but nothing pricey
Deffinatly not
Deffinatly not, the website developer was really neglagent

Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: [Hack-A-Thon: Round 2 ended] Hack my site  (Read 5209 times)
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 13, 2011, 02:09:26 PM
 #21

And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html




Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
1480765736
Hero Member
*
Offline Offline

Posts: 1480765736

View Profile Personal Message (Offline)

Ignore
1480765736
Reply with quote  #2

1480765736
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 13, 2011, 03:24:11 PM
 #22

And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html





Thanks for this very informative article, I will be researching it to the line, It's crazy the things people come up with to hack something. Cheesy

Edit so As long as I don't allow any links to other websites I'm thinking I should be good.
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 13, 2011, 03:45:38 PM
 #23

The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.




Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 13, 2011, 04:11:51 PM
 #24

The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.





wow!? This is a crazy type of attack, I must get back to work Wink
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 14, 2011, 12:46:52 AM
 #25

Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.

Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 14, 2011, 12:52:11 PM
 #26

Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.

Thankfully I only have a few forms most of which everything required a #id number so they were semi safe if the attacker could guess the #id number of the shopping cart they wanted to control but I did have to do some token work on account details so packages won't get shipped in the wrong place Wink
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 14, 2011, 05:09:55 PM
 #27

Start Date: August 17th
12 in the afternoon PST.

Use this thread to report bugs. Smiley
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 14, 2011, 05:18:10 PM
 #28

Edited OP for payment details I've decided.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 16, 2011, 07:54:04 PM
 #29

Forgotten password won't be available for testing tomorrow. I'm still trying to figure out how to get mail to send correctly. As well as set up the receiving end
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 17, 2011, 04:10:25 PM
 #30

Okay everything should be operational doing some last minute touches on product reviews and rating system. Hack-A-Thon will begin at 12PST and I'll PM everyone when its ready to start

*Edit: I meant to put everything should be operation except for the forgot password because it involved mail and getting mail to send and receive is like the devil trying to get to heaven(It can happen but its going to take a lot of work! PUN INTENDED)

*Update:
I will be setting the cost of all the products to about .01 BTC this way testers can try out the shopping cart system and see if there are any vulnerabilities in that.
There is a Store Credit section in the account details if you want your BTC back just type in your return address and press the "Request Refund" button and I'll send you your "Store Credit" back. It will tell you "Please allow 2-3 days for your refund." This won't be true during testing times I'll send it back to you as soon as I see the request but shouldn't be a big deal how soon you receive it since were dealing with .01BTC's here.

Tip:Looking for security flaws and bugs.


(It willl be another 2 more hours from 12:31PM PST I just realized i didn't patch up somthing)
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 12:07:01 AM
 #31

Hacking has started everyone that has RSVP'd I've sent the details to start the hacks. I will be creating some fake customer accounts.

Good Luck Have fun!
xcooling
Full Member
***
Offline Offline

Activity: 145


View Profile
August 18, 2011, 12:15:20 AM
 #32

Ill PM you my findings in the morning, lol if im able to connect to the server.

indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 18, 2011, 12:48:56 AM
 #33

Yea... both http and https sites are down for me too.   Cry

Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 12:50:26 AM
 #34

Its stuck in restart, I just submitted a ticket Tongue
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 01:28:05 AM
 #35

Server back up, It will be a moment before bitcoin daemon is back up Thanks for your patience.

EDit: apache2 wont boot, it has come to my attention i need a new host this is just rediculas. Any hosting suggestions?

Yeah Having too many problems with this host Hack-A-thon held off until tomorrow I'm getting a different host.
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 18, 2011, 01:51:05 AM
 #36

yea... just tried.. it's down... no joy.

If you want to try something where you have full control of your server, try linode.

I used them before and really like the platform.

They have a bunch of different linux distros you can install and have full root access.

http://www.linode.com/

Their basic plan is $19.95 per month and gives you 20 GB of disk space....not sure if thats enough...how many GB is the blockchain these days?  The basic plan should be good enough for most start-up websites, but I'm not sure how much resources bitcoind would use on it.

I heard someone else say they were running bitcoind on there...but not sure what plan he is under.

Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
August 18, 2011, 01:57:43 AM
 #37

Any hosting suggestions?

I have several dedicated servers on Worldstream with 1 year+ uptime. Can't really say how fast their technical support is because luckily i never needed to use it. But their sales support is allright, at least during the week and on dutch work hours

Your mileage may vary, ofcourse Smiley

Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 02:48:21 AM
 #38

Servers back up Cheesy Okay apperently i was on a bad node. So lets see how this good node works. Continue the testing!!! FULL STEAM AHEAD!!!
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 18, 2011, 03:25:59 AM
 #39

I tried to check out.. and I got this error:

"Fatal error: Uncaught BitcoinClientException:
  • : Connect error: Connection refused (111) thrown in on line 0"

Probably just means your bitcoind is down...


oh..BTW...what is your validation rules for zip Code?  I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.

perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
phorensic
Hero Member
*****
Offline Offline

Activity: 630



View Profile
August 18, 2011, 04:22:56 AM
 #40

Chrome 14.0.835.35.  Item title goes behind BTC price.  I believe the offending div is "s_item_clearfix".  Repeats on many other items.




Are you looking for layout quirks like that also, or only security holes?
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!