Pages:
Author

Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 4. (Read 7147 times)

sr. member
Activity: 311
Merit: 264
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

And when you will pay the bounty  Undecided more than 1 day waiting now...

I think OP already stated it before...

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.
legendary
Activity: 3346
Merit: 3130
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

And when you will pay the bounty  Undecided more than 1 day waiting now...
sr. member
Activity: 861
Merit: 423
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?
sr. member
Activity: 861
Merit: 423
newbie
Activity: 42
Merit: 0
Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !
member
Activity: 97
Merit: 10
1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless.
2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi)
3. No CSRF protection anywhere
4. Vulnerable to clickjacking.
5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page.
6. "Name" on settings page vulnerable to XSS.
7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on.
8. Payment mode on the orders page is vuln to persistent XSS.
9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid]
10. Persistent XSS in orders page by editing currency or country POST fields.
11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED.
12.  About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site.
13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them
14. XSS on the reply field of the ticket system.
15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them.

I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP.

Regards,
PotatoPie.

sr. member
Activity: 861
Merit: 423
XSS attack & SQL injection problem on all pages are already known and those bounties will go for mainly to MagicSnow & partly to seoincorporation. Requesting everyone to find some other bug.
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
In http://www.100bit.co.in/settings.php

the name testbox is also vulnerable to xss

if you enter

Code:
sbank">

you will be able to see prompt

full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???

Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM.

It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part...


By order execution I think you mean the order.php page??? If yes there is XSS in that page

http://www.100bit.co.in/order.php
Code:
POST params:  order_type=Buy&order_amt_in_btc=123""">&order_amt_in_currency=aaa""">¤cy=aaa""">&order_country=aaa""">&order=Post+Order&order_payment_mode=aaa""">


Here when you will POST this data you will see prompt "14", "15" and "16" which proves there is XSS in params => currency, order_country and order_payment_mode.





Please let me know do this qualify for bounty if its unreported vuln?
legendary
Activity: 1050
Merit: 1000
I still waiting the payment, how much i will get for my reported bugs?

No bounty yet received !

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get?

Have a great Easter.
so how we will know about the bug that will get 0.10BTC bounty?
i also register there but did not get confirmation email from 2 hours of waiting?
sr. member
Activity: 861
Merit: 423
seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool..

anyone can say me that how can i deposit funds in it

100bit.co.in does not require your fund to stay deposited in any site wallet. User just needs to deposit fund only when a trade is in progress. That is why, as a seller, you'll get a deposit address only when you start a trade with someone. As soon as the trade is over, i.e. you accept receiving FIAT/Alt coin from the buyer, your fund will be released and go to buyer's bitcoin address. So, in case of any security breach, you will remain unaffected unless you are doing trade exactly at that moment.
legendary
Activity: 3346
Merit: 3130
I still waiting the payment, how much i will get for my reported bugs?

No bounty yet received !

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get?

Have a great Easter.
full member
Activity: 154
Merit: 100
anyone can say me that how can i deposit funds in it
sr. member
Activity: 861
Merit: 423
I still waiting the payment, how much i will get for my reported bugs?

No bounty yet received !

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.
legendary
Activity: 1050
Merit: 1001
no one get paid? okay i would suggest you op to use escrow , so no one worry about scamming or something else.
hero member
Activity: 1624
Merit: 645
Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works

100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile.

In the country selection option why are there so little countries to chose from? And why it says europe as a country

We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP.

Well for instance you should add Spain and Romania aswell, Poland is there thats why i was confused about Europe. So you should add all the countries in europe
newbie
Activity: 42
Merit: 0
No bounty yet received !
legendary
Activity: 1050
Merit: 1001
i have try your site, register and i have found this ,



maybe you can use NOREPLY email, so no one will reply to those mail.

also i found this,

 while i input wrong captcha the form that i have filled got blank form again.At the moment we register a site using the form , when there is an error ( eg, the desired user name is already used ) , then we returned to the original register page with an error message . If you notice , all the forms are pre-filled automatically repopulate so we do not need to input all the forms , but just fix the wrong section .

Form filled itself will greatly help the user to correct the wrong form field . Imagine if we fill out a form with 15 input box , only then forced to enter again all the input boxes for one fill date format on one input people will lazy to filled out the form again you can utilizing the $ _GET variable and headers function header.
full member
Activity: 154
Merit: 100
seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool..
legendary
Activity: 3346
Merit: 3130
I still waiting the payment, how much i will get for my reported bugs?
Pages:
Jump to: