Bitcoin Forum
November 16, 2024, 06:59:10 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Poll
Question: From the looks of things so far would you trust purchasing from Cheaper In Bitcoins?
Yes more then likely
Yes, sure I'll try it out
Yes, but nothing pricey
Deffinatly not
Deffinatly not, the website developer was really neglagent

Pages: [1] 2 3 4 »  All
  Print  
Author Topic: [Hack-A-Thon: Round 2 ended] Hack my site  (Read 24395 times)
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 04, 2011, 02:38:16 PM
Last edit: August 23, 2011, 01:51:45 AM by Xenland
 #1

Basically I am constructing a retailing website with custom written software that should and needs to be tested. I am taking all the necessary precautions to keeping Bitcoins safe while at the same time making it an easy and friendly store to use for new commers to bitcoin. My ecommerce website will not only sell things but help new comers every step of the way to learning Bitcoin. I have purchased an SSL certificate so customers can even feel more safe. The slogan is "Never pay with a Credit Card Again" and that is the aim and drive of the whole store is to provide a way for people to purchase things with out feeling like they will puke when they get an overdraft bill the following month from their bank.

Anyways please RSVP if you want to sign up for the hack a thon day, I will be participating in it my self(not enough time to participate, i will be adding more products to the list while you guys hack Wink ). I plan it to be within the next month or so. The rules are simple in order to participate you must not DDoS or do anything that might other wise cause physical or hardware harm to the server it self. The aim is to attempt to find holes from the back-end programming(PHP/MySql/XSS) from cheaperinbitcoins and report them on the steps you took to recreate the hack. I want my website to be safe and secure. Also website suggestions are welcome too before or after the hack-a-thon event. Any date suggestions?

Teh Rulez:
Pay Per Report Per Person: 0.05 BTC (If you find a big security risk I will put in bonus of 0.5 BTC so that makes 0.55 BTC per huge security risk)
Reports must be through enough for me to recreate and verify

----------------------------------
Target Website: Unreleased to the public.
----------------------------------
Bug Count: 4
Security Flaw Count: 0 ( I haven't seen any  database extractions yet)


Happy Hacking!
Xenland
indicasteve
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 04, 2011, 09:36:46 PM
 #2

You might have to do a few rounds of testing....find some bugs, fix some bugs...repeat.

Maybe offer a small bounty for reports.  .05 BTC will get you 20 bug reports for a bitcoin.  A good investment imho.  And if you're cheap like me, it also gives you incentive to find them before the others do!


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 05, 2011, 01:24:29 AM
 #3

You might have to do a few rounds of testing....find some bugs, fix some bugs...repeat.

Maybe offer a small bounty for reports.  .05 BTC will get you 20 bug reports for a bitcoin.  A good investment imho.  And if you're cheap like me, it also gives you incentive to find them before the others do!


I might take your offer on that thanks for the suggestion.
FlipPro
Legendary
*
Offline Offline

Activity: 1764
Merit: 1015


View Profile
August 05, 2011, 05:25:29 AM
 #4

I will donate small bounty for the first hack Smiley ! 0.05 BTC ! Good work Xenland.
indicasteve
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 05, 2011, 07:01:29 AM
Last edit: August 05, 2011, 07:18:40 AM by indicasteve
 #5

See...  I can see where he's coming from.

He doesn't want to open his system up to the public yet because he's concerned about being hacked and people breaking his shit, so he's having a limited invite.

If you want to make your site hack proof, open a demo site to the public then declare in a loud voice, "My Site is Un-Hackable!"

Then just wait for the 'loz' and the 'ur code sux cuz I haxored u' to roll in.

Once the drama is over and you fixed all your code, and you pay your bounty to those who helped...do it again...

Honestly.... I'm not opening my site up for business till every hack in these forums has had a go at it.

edit: Didn't see the updates to the OP before writing this...soz.

edit: edit: Just another quote to keep in mind:, "Good software does what it's supposed to do.  Secure software does what it's supposed to do and nothing else"

Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 05, 2011, 07:14:22 AM
 #6

See...  I can see where he's coming from.

He doesn't want to open his system up to the public yet because he's concerned about being hacked and people breaking his shit, so he's having a limited invite.

If you want to make your site hack proof, open a demo site to the public then declare in a loud voice, "My Site is Un-Hackable!"

Then just wait for the 'loz' and the 'ur code sux cuz I haxored u' to roll in.

Once the drama is over and you fixed all your code, and you pay your bounty to those who helped...do it again...

Honestly.... I'm not opening my site up for business till every hack in these forums has had a go at it.

edit: Didn't see the updates to the OP before writing this...soz.

lol, man i should have thought of this... but a deal is a deal. *sigh Tongue
xcooling
Member
**
Offline Offline

Activity: 145
Merit: 10


View Profile
August 05, 2011, 07:45:05 AM
 #7

Send me the info and ill get testing

Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 05, 2011, 08:17:07 AM
 #8

When are you ready to start this?

I want to join in, but I'm not always available.

btw.: Starting a Hack-A-Thon is a great idea!

I'm hoping my website will be released at the beginning of the next month if everything goes according to plan. So the hack-a-thon should be some time after the 26th of aug if I finish the site by then and I plan for the even to be an on-going week event, where i just sit back and watch my programming crash & burn(sort of speak).
phorensic
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
August 05, 2011, 08:29:38 AM
 #9

Xen, I just have to say:  This is the freakin' way to get a reputable site going in this community.  Produce a beta and say "hack this sh*t!".  Once you have done enough testing it's ready for release, provided you don't plan on adding new features without additional testing.

I have a feeling your next project is going to make waves.  Push forward brotha'!
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 06, 2011, 03:11:41 AM
 #10

Xen, I just have to say:  This is the freakin' way to get a reputable site going in this community.  Produce a beta and say "hack this sh*t!".  Once you have done enough testing it's ready for release, provided you don't plan on adding new features without additional testing.

I have a feeling your next project is going to make waves.  Push forward brotha'!

Thanks mate!

Yeah exactly I want everyone trust that their Bitcoins are in safe keeping with all these "hack" going around and loss of Bitcoins at random.
My business plan is to purchase 3 USB drives all of which have the same identical single wallet address. all the Bitcoins get sent to this address and when I'm ready to ship products I pull one out of the lock box(Looking into magnetically shielded lock-boxes, any ideas where to find them?) and convert Bitcoins into fiat and purchase another shipment.
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 06, 2011, 05:22:29 AM
 #11

See...  I can see where he's coming from.

He doesn't want to open his system up to the public yet because he's concerned about being hacked and people breaking his shit, so he's having a limited invite.

If you want to make your site hack proof, open a demo site to the public then declare in a loud voice, "My Site is Un-Hackable!"

Then just wait for the 'loz' and the 'ur code sux cuz I haxored u' to roll in.

Once the drama is over and you fixed all your code, and you pay your bounty to those who helped...do it again...

Honestly.... I'm not opening my site up for business till every hack in these forums has had a go at it.

edit: Didn't see the updates to the OP before writing this...soz.

edit: edit: Just another quote to keep in mind:, "Good software does what it's supposed to do.  Secure software does what it's supposed to do and nothing else"

Thats an awsome quote, and its soo true too!
Paul4games
Newbie
*
Offline Offline

Activity: 46
Merit: 0


View Profile
August 06, 2011, 08:45:58 AM
 #12

I'd be glad to test you're site for vulnerabilities, just hit me up when it's ready.
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 11, 2011, 06:51:26 PM
 #13

Thinking about starting early I'm just doing some touch up's and just messing around on the site to see if i can just randomly break it.
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62
Merit: 10



View Profile
August 11, 2011, 08:58:13 PM
 #14

Xenland,

I'll take a crack at it as well.  Just shoot me a PM with the details when you are ready.

And just to be clear, all avenues are open to the hack (minus DDOS obviously)?
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 12, 2011, 12:07:18 PM
 #15

Yes brandon@sourcewerks, Everything is open for hacking. The exception is anything that could be done to damage my servers hardware, or anything that is irreversible is not allowed. If you think you know of a flaw that would cause such disaster please let me know the steps to come to this conclusion.

Other then that I want everyone to basically just de-face the $*&^T out of my website. You know the kind of attacks you see about when a hacker gets access they usually throw up some swastikas and then scribble latin satan chants overlying the logo. Scince my website is not public(officially) I don't think any consumers are aware of the website either way yet so like i said de-face it!!!! Make people purchase stuff(will implant fake customer accounts just for the sake of proper testing, some will have shipped items, purchased items, items waiting to be purchased,etc, etc). Heres another good idear Hack into my database and  set all paid transaction required to be payed again... go Crazy!!!!^%%#@!! with teh hax!!

Hackthissite.org has a really good hacking philosophy (http://www.hackthissite.org/pages/info/billofrights/)

it says
Quote
2. Users are allowed to explore Hack This Site in search of security holes, bugs, etc. provided that they do not exploit them for destructive purposes. We encourage people to 'hack this site' but we ask that they leave the website up for others to benefit and learn from. More information about hacking this site available here. We ask that you submit a bug report if you do find one.

I hope that clears this up for everyone as I've been thinking about the rules and fine lines my self over the past couple of days, its hard to say "hack my site but don't destroy it" its kind of contradictory but I hope this explains everything.

I don't think there will be any media coverage for Bitcoin convention so I figured I'd let all the bitcoiners that can't make it to the convention be able to pass the time with some hacking? I was thinking the start date 17th and then length of the hackings will go on as long as they must.
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62
Merit: 10



View Profile
August 12, 2011, 02:52:00 PM
 #16

Ok.  I'm ready when you say go!

indicasteve
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 13, 2011, 09:57:15 AM
 #17

I'm just waiting for the day I find someone to hack who has one of those 3D printers.  I'd hack it and program it to make a zombie robot and have it attack the guy while he's sleeping and steal his mining rigs and all his bitcoinz!


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 13, 2011, 12:12:47 PM
 #18

I'm just waiting for the day I find someone to hack who has one of those 3D printers.  I'd hack it and program it to make a zombie robot and have it attack the guy while he's sleeping and steal his mining rigs and all his bitcoinz!


A glimspse t future hacking endevours....
Hide yo bitcoins,hide yo wife.... Run and tell that, run and tell that, home boy ,'home boy
indicasteve
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 13, 2011, 12:45:51 PM
 #19

Smiley  How's your site coming along anyway?

I just finished patching my XSRF holes Kokjo was kind enough to rub in my face.  Smiley  Don't forget those!  They can be nasty buggers!  Even nastier than a XSS bug because the danger is subtle and may not even be obvious at first.

Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland (OP)
Legendary
*
Offline Offline

Activity: 980
Merit: 1003


I'm not just any shaman, I'm a Sha256man


View Profile
August 13, 2011, 01:08:46 PM
Last edit: August 13, 2011, 01:30:15 PM by Xenland
 #20

Smiley  How's your site coming along anyway?

I just finished patching my XSRF holes Kokjo was kind enough to rub in my face.  Smiley  Don't forget those!  They can be nasty buggers!  Even nastier than a XSS bug because the danger is subtle and may not even be obvious at first.

Wow haven't heard of those attacks yet, I'm not entirely sure I'm covered but the measure I have taken before reading about that kind of attack is this.
I sha512 hash the cookie authentication similar to mining farm except I have removed the annoying 30 minute session limit that was in mining farm you can browse as long as your active for up to an hour of inactivity. I'm hoping that should be enough. I'll give you guys a hint on the frame work for the hashing value.....
Quote
user_ip_address.randomly_generated_secret.user_unhashed_password.auto_updating_ expiration_timestamp

Pseudo code looks something like this
Quote
$CookieIp.$CookieSecret.$Password.$ExpireTimestamp

At the time of writing this, I'm finishing up the last touch and that is user reviews. I hope to start the hack-a-thon on Monday, 15th of August. Cheesy

Edit: all this got me thinking, I'm rewriting the login code to constantly randomly generate a "secret" every-time a page is refreshed just to make it super extra session-hijacking safe

Edit2: I think I'll give some more hints to the people: I have changed my root MySql user name that mysql runs on(wont disclose what the username is) and I have the actual website running through a jailed user, there is no phpMyAdmin(to prevent bruteforce attacks on that), and I've changed my root user name login through SSH. I think I got everything covered as far as securing the actual box, I hope some hackers can prove me wrong Wink
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!