fffeee (OP)
|
|
June 01, 2012, 01:02:25 PM |
|
Someone tries to cash me out.. There is a bug on my site and someone did try to steal my coins. He was able to order coins every 20 seconds via different proxies an with many different btcaddresses. If anyone can help me or will find this error, I would be very thankful. There is also a bounty on it (0.5)! Edit: www.fiveminutecoin.com
|
|
|
|
Bitsky
|
|
June 01, 2012, 01:28:28 PM |
|
Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out.
|
|
|
|
BinaryMage
|
|
June 01, 2012, 03:01:35 PM |
|
I'm not clear what you're asking here. Are you giving us permission to pentest your website?
(And BTW, it returns a 404 right now.)
|
|
|
|
fffeee (OP)
|
|
June 01, 2012, 03:13:02 PM |
|
I'm not clear what you're asking here. Are you giving us permission to pentest your website?
(And BTW, it returns a 404 right now.)
I know this because I`m uploading the new Version right now.. Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out.
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?!
|
|
|
|
fffeee (OP)
|
|
June 01, 2012, 03:45:53 PM |
|
I'm not clear what you're asking here. Are you giving us permission to pentest your website?
(And BTW, it returns a 404 right now.)
I know this because I`m uploading the new Version right now.. Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out.
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that. ok.. I`m gonna implement that too.. thanks for your suggestion!
|
|
|
|
Bitsky
|
|
June 01, 2012, 03:54:47 PM |
|
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead. I'd start with a little math: Captcha solving costs something between $1-$2 per 1000 captches. 1000 successful requests mean 2.5btc when you don't bother to wait. Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit. You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them. Probably a good idea is to look around for a good real-time blacklist of proxies and block them. Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.
|
|
|
|
fffeee (OP)
|
|
June 01, 2012, 04:47:14 PM |
|
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead. I'd start with a little math: Captcha solving costs something between $1-$2 per 1000 captches. 1000 successful requests mean 2.5btc when you don't bother to wait. Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit. You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them. Probably a good idea is to look around for a good real-time blacklist of proxies and block them. Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money. I`ll keep that in mind and maybe I`m gonna implement this tomorrow if the site works fine again..
|
|
|
|
fffeee (OP)
|
|
June 01, 2012, 06:16:47 PM |
|
I'm not clear what you're asking here. Are you giving us permission to pentest your website?
(And BTW, it returns a 404 right now.)
I know this because I`m uploading the new Version right now.. Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out.
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that. ok.. I`m gonna implement that too.. thanks for your suggestion! Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..
|
|
|
|
Nachtwind
|
|
June 01, 2012, 06:37:51 PM |
|
I'm not clear what you're asking here. Are you giving us permission to pentest your website?
(And BTW, it returns a 404 right now.)
I know this because I`m uploading the new Version right now.. Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out.
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that. ok.. I`m gonna implement that too.. thanks for your suggestion! Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info.. function IsTorExitPoint(){ if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") { return true; } else { return false; } } function ReverseIPOctets($inputip){ $ipoc = explode(".",$inputip); return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0]; }
Does that one work for you?
|
|
|
|
Bitsky
|
|
June 01, 2012, 06:41:28 PM |
|
Or he could just use rbls provided by sorbs, spamhaus and efnet.
|
|
|
|
Vernon715
|
|
June 04, 2012, 12:25:52 AM |
|
Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..
I think you can find a list if you download the tor software.
|
|
|
|
randomproof
Member
Offline
Activity: 61
Merit: 10
|
|
June 05, 2012, 07:59:58 PM |
|
I've noticed that the timer was purely in javascript, so it was easy to override that with a Firefox extention that allows the user to execute any javascript.
|
Donations to me: 19599Y3PTRF1mNdzVjQzePr67ttMiBG5LS
|
|
|
Vernon715
|
|
June 05, 2012, 11:30:50 PM |
|
That is a pretty big hole...Is there a way to move the timer out of java?
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
June 05, 2012, 11:36:40 PM |
|
|
|
|
|
nimda
|
|
June 05, 2012, 11:57:45 PM |
|
Two vulnerabilities: 1. The user can change the countdown value via firefox extension or Chrome's developer console 2. The user can request a CAPTCHA, then send a POST request directly to the server.
|
|
|
|
fffeee (OP)
|
|
June 06, 2012, 10:31:18 AM |
|
Thank you for this.. I`m gonna fix it
|
|
|
|
drawoc
Full Member
Offline
Activity: 168
Merit: 100
Firstbits: 175wn
|
|
June 06, 2012, 08:20:14 PM |
|
You can get a list of ip addresses for a ton of tor exit nodes like this: curl http://exitlist.torproject.org/exit-addresses | grep -o -e "ExitAddress [^ ]*" | sed "s/ExitAddress //" > ipban.txt
If you run this in a bash terminal, it'll download a list of tor exit nodes from the tor project, format it in a nice, easy to use format, and save it to a file named ipban.txt. You might want to set up, eg. a cron job to run this and update the file every once and a while. Then, you just need to make your script deny anyone with one of these ip addresses. Then, nobody can access your site over tor. This is what that command gives me at the moment: http://pastebin.com/0iM6GrkM
|
Donate: 175WNXmJ1WVhFgVGKUqEhYtAQGRYAvqPA
|
|
|
|