Pages:
Author

Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 3. (Read 7147 times)

sr. member
Activity: 861
Merit: 423
It says
Please provide an eight character alphanumeric password.
But i can set password as "abcdefig"
Requesting users to provide alphanumeric password is a suggestion for strong password. But, if someone provides a weak one, it is their choice and we allow it.

Another thing
I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot!
Unless the CAPTCHA is broken, one can not spam the system using bot instead of allowing blank post in subject/description.
legendary
Activity: 3346
Merit: 3130
As promised, here is the list of bug bounty winners...

MagicSnow (https://bitcointalksearch.org/user/magicsnow-239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1
Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion.

seoincorporation (https://bitcointalksearch.org/user/seoincorporation-334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05
Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before.

franckuestein (https://bitcointalksearch.org/user/franckuestein-225121) => 0.01
Bugs Found: Spelling Mistake

Roberson (https://bitcointalksearch.org/user/roberson-490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03
Bugs Found: Found 404 error led by broken link

RealPhotoshoper (https://bitcointalksearch.org/user/realphotoshoper-497745) => ? = 0.03
Bugs Found: Blank registration page after wrong input and a Good suggestion for email

At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him.

All of them have been paid...

https://blockchain.info/tx/8b8c6380391edd484571722696548710a7c6ebc1f82618dd25507037a0c4fb2b

@PotatoPie Previously we sent you a PM which you did not reply. We have sent you another PM. If you still do not reply, we can not reward you any bug bounty. Whoever is finding the bug needs to respond to our PM so that we can fix those issues.

I get the 0.05 payment, thx to user 100Bitcoin.
hero member
Activity: 896
Merit: 1000
It says
Please provide an eight character alphanumeric password.
But i can set password as "abcdefig"

Another thing
I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot!


@100bitcoin
I think you missed this
sr. member
Activity: 861
Merit: 423
As promised, here is the list of bug bounty winners...

MagicSnow (https://bitcointalksearch.org/user/magicsnow-239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1
Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion.

seoincorporation (https://bitcointalksearch.org/user/seoincorporation-334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05
Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before.

franckuestein (https://bitcointalksearch.org/user/franckuestein-225121) => 0.01
Bugs Found: Spelling Mistake

Roberson (https://bitcointalksearch.org/user/roberson-490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03
Bugs Found: Found 404 error led by broken link

RealPhotoshoper (https://bitcointalksearch.org/user/realphotoshoper-497745) => ? = 0.03
Bugs Found: Blank registration page after wrong input and a Good suggestion for email

At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him.

All of them have been paid...

https://blockchain.info/tx/8b8c6380391edd484571722696548710a7c6ebc1f82618dd25507037a0c4fb2b

@PotatoPie Previously we sent you a PM which you did not reply. We have sent you another PM. If you still do not reply, we can not reward you any bug bounty. Whoever is finding the bug needs to respond to our PM so that we can fix those issues.
member
Activity: 97
Merit: 10
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:
https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.

Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.

I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.

In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.

I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/

Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.

Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ?

I am not aware it was there before or not but seems to be fixed now.
member
Activity: 144
Merit: 17

Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.

Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ?
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:
https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.

Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
member
Activity: 144
Merit: 17
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:
https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
Also there is a full path disclosure vulnerability in captcha.php

If you save the captcha image from this page and view in hex editor you can see the complete server path to the file.



full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:
https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks
legendary
Activity: 1050
Merit: 1001
received my payment thanks! goodluck for your business!
hero member
Activity: 896
Merit: 1000
It says
Please provide an eight character alphanumeric password.
But i can set password as "abcdefig"

Another thing
I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot!
sr. member
Activity: 861
Merit: 423
As promised, here is the list of bug bounty winners...

MagicSnow (https://bitcointalksearch.org/user/magicsnow-239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1
Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion.

seoincorporation (https://bitcointalksearch.org/user/seoincorporation-334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05
Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before.

franckuestein (https://bitcointalksearch.org/user/franckuestein-225121) => 0.01
Bugs Found: Spelling Mistake

Roberson (https://bitcointalksearch.org/user/roberson-490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03
Bugs Found: Found 404 error led by broken link

RealPhotoshoper (https://bitcointalksearch.org/user/realphotoshoper-497745) => ? = 0.03
Bugs Found: Blank registration page after wrong input and a Good suggestion for email

At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him.
sr. member
Activity: 861
Merit: 423
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

But when we will get it? what are we waiting?

Payment will be sent to all together after fixing those issues. At this moment some of the issues are solved and we are PMing those who raised it. After resolution of the raised bugs everyone will be paid together.
legendary
Activity: 3346
Merit: 3130
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

But when we will get it? what are we waiting?
member
Activity: 97
Merit: 10
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

If you read over my list, you'd see a few.
sr. member
Activity: 861
Merit: 423
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

legendary
Activity: 1050
Merit: 1001
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks
Pages:
Jump to: