whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 04, 2014, 07:35:20 PM Last edit: December 04, 2014, 09:44:46 PM by whitewhidow |
|
quick update. on mobile. not much time
implemented withdrawls and deposits. havent deployed yet. i will this evening or tommorow.
thx
s
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
Decksperiment
|
|
December 04, 2014, 09:54:30 PM |
|
on mobile again: so in short again: sorrt for the typo. will be fixed. db is on a diff server. the phpmyadmin you found does not hold the betting data server setting will be fixed, bet regarding the php session id in the cookie, thats normal ? same with fb, prime, etc ? i really dislike the win8 metro look actually and regarding the 60% chance and winning 1 satoshi. is this not the same at prime? it seems im getting the same results there? thx i guess the question is: is 0.00000001 X 1.7. 0.00000001 or 0.00000002 will post more elaborate response when im in the office edit: looking at previous rolls: lol @ user "test41241' OR 1=1; --". edit: how many ti.es the signup bonus, should be required to withdraw ( to prevent abusing the bonus). at primt its like x200 or something i believe The guy who pointed out the myAdminphp link should be payed attention to, as a bruteforce of password using pyrit/cuda would reveal more than you think.. in fact, all that you see..? Edit, sorry, was focusing on news, The guy who pointed out the phpMYadmin is correct, as I can rip anyones password using cowpatty piped through my cuda based pyrit (no passwords list) in around a day.. A password to myadmin gives complete opportunity to change anything at will.. you do like your site, no?
|
|
|
|
hexafraction
Sr. Member
Offline
Activity: 392
Merit: 268
Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ
|
|
December 04, 2014, 11:13:18 PM |
|
Hmm, a monetary site with no visible way to change a password or reset a password via email? It would be nice for that functionality to exist, so that there are less risks of loss of money.
|
|
|
|
BGkockata
Member
Offline
Activity: 70
Merit: 10
|
|
December 04, 2014, 11:25:46 PM |
|
Hmm, a monetary site with no visible way to change a password or reset a password via email? It would be nice for that functionality to exist, so that there are less risks of loss of money.
also add 2fa verify
|
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 05, 2014, 09:52:26 AM |
|
Hmm, a monetary site with no visible way to change a password or reset a password via email? It would be nice for that functionality to exist, so that there are less risks of loss of money.
the phpmyadmin will be hidden soon, but like i said. its the phpmyadmin for a different server.. 2way auth will be added aswell and regarding the email adress, ill make it so its optional, so you can set one, IF you want. in case of pass resets if forgotten and the ability to change your pass when logged in. just woke up. will be starting work in a few hours. will deploy asap
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 05, 2014, 12:36:27 PM |
|
Update
deposit and withdrawal are finished, but disabled atm (you wont see the buttons, only specific users will...)
profile page is done, will let you change your password, email adres and bitcoin payout wallet.
113ef50 layout and type fixes + missing url 1f854b8 fixes 7755abe more withdraw stuff aa3d268 change wallet id via profile a34j268 change email via profile 8f0d478 change password via profile 0322c64 more on withdraw d4ba0af more on withdrawls 7e61540 link to has info page, on transactions page 7998ff3 deposit fix 589b719 many changes + more deposit stuff 2277e2c many changes + more deposit stuff ed3aaff many changes + start deposit stuff
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
Decksperiment
|
|
December 05, 2014, 02:25:09 PM |
|
change the name of you phpMyAdmin, and the index.php within said folder to secure it.. Oh, and remove it from your root directory, it does'nt need to be in the root to work
|
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 05, 2014, 02:53:23 PM |
|
change the name of you phpMyAdmin, and the index.php within said folder to secure it.. Oh, and remove it from your root directory, it does'nt need to be in the root to work phpmyadmin has been secured. Ive also added google authenticator!
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 05, 2014, 03:01:58 PM Last edit: December 05, 2014, 06:43:23 PM by whitewhidow |
|
Also, hexa, can you pm me the name of one of your test accounts on the site, so i can start making preperations for the testing of the transactions, i will disable them for all users except the ones i choose
EDIT: just deployed some significant design changes, working on ajax now
EDIT: just added an ajax implenetation, check it out and see if you guys like it ..
also, i know that error reporting is broken atm, due to the ajax, so i'll get to that very soon (bet too small or big will not give a visual error atm)
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 06, 2014, 10:10:46 AM |
|
update: i wont be working much this weekend so ill see you guys monday!
no feedback on the new design and ajax implementation?
thx
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 06, 2014, 06:19:43 PM |
|
update: i wont be working much this weekend so ill see you guys monday!
no feedback on the new design and ajax implementation?
thx
decided to work after all more changelog: security changes confirm 2-fa auth code before actually enabling 2-fa added "points" changes to deposit modal dont allow faucet if balance > 0 faucet added blockchain api fixes info on transactions screen withdrawal iframe changes ajax betting errors fixed stay informed option on profile massive ajax changes
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
BGkockata
Member
Offline
Activity: 70
Merit: 10
|
|
December 06, 2014, 06:47:03 PM |
|
update: i wont be working much this weekend so ill see you guys monday!
no feedback on the new design and ajax implementation?
thx
decided to work after all more changelog: security changes confirm 2-fa auth code before actually enabling 2-fa added "points" changes to deposit modal dont allow faucet if balance > 0 faucet added blockchain api fixes info on transactions screen withdrawal iframe changes ajax betting errors fixed stay informed option on profile massive ajax changes Will i be rewarded for giving my opinions&helping u?
|
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 06, 2014, 07:01:00 PM |
|
update: i wont be working much this weekend so ill see you guys monday!
no feedback on the new design and ajax implementation?
thx
decided to work after all more changelog: security changes confirm 2-fa auth code before actually enabling 2-fa added "points" changes to deposit modal dont allow faucet if balance > 0 faucet added blockchain api fixes info on transactions screen withdrawal iframe changes ajax betting errors fixed stay informed option on profile massive ajax changes Will i be rewarded for giving my opinions&helping u? for opinions, no, because everyone has them For helping ? Well like a stated in my first post, anyone who finds a bug gets rewarded, other then that, any info provided to me, that i feel is substantial, gets a reward.
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
BGkockata
Member
Offline
Activity: 70
Merit: 10
|
|
December 06, 2014, 09:18:50 PM |
|
update: i wont be working much this weekend so ill see you guys monday!
no feedback on the new design and ajax implementation?
thx
decided to work after all more changelog: security changes confirm 2-fa auth code before actually enabling 2-fa added "points" changes to deposit modal dont allow faucet if balance > 0 faucet added blockchain api fixes info on transactions screen withdrawal iframe changes ajax betting errors fixed stay informed option on profile massive ajax changes Will i be rewarded for giving my opinions&helping u? for opinions, no, because everyone has them For helping ? Well like a stated in my first post, anyone who finds a bug gets rewarded, other then that, any info provided to me, that i feel is substantial, gets a reward. okay
|
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 06, 2014, 09:25:43 PM |
|
im liking the new design, really starting to look nice he
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
BGkockata
Member
Offline
Activity: 70
Merit: 10
|
|
December 06, 2014, 09:30:41 PM |
|
im liking the new design, really starting to look nice he
told you to do it!also told u the 2fa thing,is it going to be ready sooN?
|
|
|
|
PotatoPie
Member
Offline
Activity: 97
Merit: 10
|
|
December 07, 2014, 07:01:05 AM |
|
Vulnerabilities ^_^:
XSS (Cross site scripting) in the change seed thingie. "><script>alert(document.cookie)</script> There is also no CSRF protection on this either. Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607ePossible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up. -> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this. Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000 . Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much. -> Cloudflare would probably be good.
|
BTC Address: 13mUzcjYysbgNWstbasJ3PVkPB2nCUEqFg
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 07, 2014, 11:50:43 AM |
|
Vulnerabilities ^_^:
XSS (Cross site scripting) in the change seed thingie. "><script>alert(document.cookie)</script> There is also no CSRF protection on this either. Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607ePossible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up. -> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this. Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000 . Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much. -> Cloudflare would probably be good. ill add a token and a sanitiser to the clientseed form today. regarding the useramount. all calculations and processes are based on useramount. so if useramount is messed with. it doesnt really matter. it gets displayed. and is an inpit yes. but does not get processed (havent watched videos yet, im on mobile atm) so ill adress those as soon as i can pass length: your 100% right ill add you to the list of rewards and ill reply regarding the videos when i gwt to the office. thx
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 08, 2014, 10:34:35 AM |
|
changes:
-seedForm is sanitised upon submit -hide seedform between roll nand next roll (did not make sence changing seed when looking at result) -username minimum 6 chars -passwords minimum 8 chars -added captcha to faucet
i think we are going to be ready pretty soon ...
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
whitewhidow (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
December 08, 2014, 05:10:57 PM |
|
UPDATE: all accounts, rolls and stats have been cleared, will now start testing the withdrawals with hexafraction
If all goes well we will be live before the end of this week !
|
TO WHOEVER STOL MY ACCOUNT AND WAS NOW USING IT AS HIS OWN, FCK OFF PLEASE - The REAL WHITEWHIDOW
|
|
|
|