[Hack-A-Thon: Round 2 ended] Hack my site

[indicasteve]

And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html

[1713899050]

1713899050

[1713899050]

1713899050

[1713899050]

1713899050

[1713899050]

1713899050

[Xenland]

And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html

Thanks for this very informative article, I will be researching it to the line, It's crazy the things people come up with to hack something.

Edit so As long as I don't allow any links to other websites I'm thinking I should be good.

[indicasteve]

The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.

[Xenland]

The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.

wow!? This is a crazy type of attack, I must get back to work

[indicasteve]

Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.

[Xenland]

Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.

Thankfully I only have a few forms most of which everything required a #id number so they were semi safe if the attacker could guess the #id number of the shopping cart they wanted to control but I did have to do some token work on account details so packages won't get shipped in the wrong place

[Xenland]

Start Date: August 17th
12 in the afternoon PST.

Use this thread to report bugs.

[Xenland]

Edited OP for payment details I've decided.

[Xenland]

Forgotten password won't be available for testing tomorrow. I'm still trying to figure out how to get mail to send correctly. As well as set up the receiving end

[Xenland]

Okay everything should be operational doing some last minute touches on product reviews and rating system. Hack-A-Thon will begin at 12PST and I'll PM everyone when its ready to start

*Edit: I meant to put everything should be operation except for the forgot password because it involved mail and getting mail to send and receive is like the devil trying to get to heaven(It can happen but its going to take a lot of work! PUN INTENDED)

*Update:
I will be setting the cost of all the products to about .01 BTC this way testers can try out the shopping cart system and see if there are any vulnerabilities in that.
There is a Store Credit section in the account details if you want your BTC back just type in your return address and press the "Request Refund" button and I'll send you your "Store Credit" back. It will tell you "Please allow 2-3 days for your refund." This won't be true during testing times I'll send it back to you as soon as I see the request but shouldn't be a big deal how soon you receive it since were dealing with .01BTC's here.

Tip:Looking for security flaws and bugs.


(It willl be another 2 more hours from 12:31PM PST I just realized i didn't patch up somthing)

[Xenland]

Hacking has started everyone that has RSVP'd I've sent the details to start the hacks. I will be creating some fake customer accounts.

Good Luck Have fun!

[xcooling]

Ill PM you my findings in the morning, lol if im able to connect to the server.

[indicasteve]

Yea... both http and https sites are down for me too.   

[Xenland]

Its stuck in restart, I just submitted a ticket

[Xenland]

Server back up, It will be a moment before bitcoin daemon is back up Thanks for your patience.

EDit: apache2 wont boot, it has come to my attention i need a new host this is just rediculas. Any hosting suggestions?

Yeah Having too many problems with this host Hack-A-thon held off until tomorrow I'm getting a different host.

[indicasteve]

yea... just tried.. it's down... no joy.

If you want to try something where you have full control of your server, try linode.

I used them before and really like the platform.

They have a bunch of different linux distros you can install and have full root access.

http://www.linode.com/

Their basic plan is $19.95 per month and gives you 20 GB of disk space....not sure if thats enough...how many GB is the blockchain these days?  The basic plan should be good enough for most start-up websites, but I'm not sure how much resources bitcoind would use on it.

I heard someone else say they were running bitcoind on there...but not sure what plan he is under.

[Raoul Duke]

Any hosting suggestions?

I have several dedicated servers on Worldstream with 1 year+ uptime. Can't really say how fast their technical support is because luckily i never needed to use it. But their sales support is allright, at least during the week and on dutch work hours

Your mileage may vary, ofcourse

[Xenland]

Servers back up Okay apperently i was on a bad node. So lets see how this good node works. Continue the testing!!! FULL STEAM AHEAD!!!

[indicasteve]

I tried to check out.. and I got this error:

"Fatal error: Uncaught BitcoinClientException:

• : Connect error: Connection refused (111) thrown in on line 0"

Probably just means your bitcoind is down...


oh..BTW...what is your validation rules for zip Code?  I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.

perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."

[phorensic]

Chrome 14.0.835.35.  Item title goes behind BTC price.  I believe the offending div is "s_item_clearfix".  Repeats on many other items.




Are you looking for layout quirks like that also, or only security holes?