I am researching about crypto exchangers from few days ago about their security.I found almost every exchanger have atleast one security issue.
I do not know how they care their security but they should solve bugs from their web.Otherwise their website may be hack anytime by hacker.
I am not a hacker nor anyting like that.This thread is only for research purposes.
I will try to point out all popular crypto exchangers web vulnerability and how to reproduce it.
1.https://www.bit-z.com/Vulnerabilty Details:Cross site scriptingVulnerability descriptionThis script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /user/signup.
Attack detailsURL encoded POST input email was set to sample%40email.tst" eKPi=a4zo([!+!]) Zp4="
The input is reflected inside a tag parameter between double quotes.
The impact of this vulnerabilityMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
How to fix this vulnerabilityTheir script should filter metacharacters from user input.
*HTML form without CSRF protection*Vulnerability description
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
I found a HTML form with no apparent CSRF protection implemented.
Attack details:*Form action:
https://www.bit-z.com/user/signup*Form method: POST
*Form inputs:
.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]
*Form action:
https://www.bit-z.com/user/signin*Form method: GET
*Form inputs:
.email [Text]
.pwd [Password]
*Form action:
https://www.bit-z.com/user/signup*Form method: POST
*Form inputs:
.email [Text]
.pwd [Password]
.repwd [Password]
.invite_code [Text]
The impact of this vulnerability*An attacker may force the users of a web application to execute actions of the attacker''s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
*How to fix this vulnerabilityThey should make that form using html form with CSRF protection.
Clickjacking: X-Frame-Options header missingVulnerability descriptionClickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Affected itemsWeb Server
The impact of this vulnerabilityThe impact depends on the affected web application
How to fix this vulnerabilityThey should configure their web server to include an X-Frame-Options header.
Also they have some more bugs
e.g. cookie without HTTP only flag set
cookie without secure flag set
I will update here almost all crypto exchangers website vulnerability details one by one.This is not possible to publish web vulnerability details about all crypto currency exchangers at a time.
If anyone found any bugs report here ,So it will better to make a safe crypto world.
