Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 4. (Read 7137 times)

I think OP already stated it before...

And when you will pay the bounty  more than 1 day waiting now...

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless.
2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi)
3. No CSRF protection anywhere
4. Vulnerable to clickjacking.
5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page.
6. "Name" on settings page vulnerable to XSS.
7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on.
8. Payment mode on the orders page is vuln to persistent XSS.
9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid]
10. Persistent XSS in orders page by editing currency or country POST fields.
11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED.
12.  About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site.
13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them
14. XSS on the reply field of the ticket system.
15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them.

I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP.

Regards,
PotatoPie.

XSS attack & SQL injection problem on all pages are already known and those bounties will go for mainly to MagicSnow & partly to seoincorporation. Requesting everyone to find some other bug.

In http://www.100bit.co.in/settings.php

the name testbox is also vulnerable to xss

if you enter


you will be able to see prompt

By order execution I think you mean the order.php page??? If yes there is XSS in that page

http://www.100bit.co.in/order.php


Here when you will POST this data you will see prompt "14", "15" and "16" which proves there is XSS in params => currency, order_country and order_payment_mode.





Please let me know do this qualify for bounty if its unreported vuln?

so how we will know about the bug that will get 0.10BTC bounty?
i also register there but did not get confirmation email from 2 hours of waiting?

100bit.co.in does not require your fund to stay deposited in any site wallet. User just needs to deposit fund only when a trade is in progress. That is why, as a seller, you'll get a deposit address only when you start a trade with someone. As soon as the trade is over, i.e. you accept receiving FIAT/Alt coin from the buyer, your fund will be released and go to buyer's bitcoin address. So, in case of any security breach, you will remain unaffected unless you are doing trade exactly at that moment.

Ok, but the title say "Earn up to 0.1 BTC for finding bugs", i really want to know how much i will get for my reported bugs? and if i found more bugs how much more i will get?

Have a great Easter.

anyone can say me that how can i deposit funds in it

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

no one get paid? okay i would suggest you op to use escrow , so no one worry about scamming or something else.

Well for instance you should add Spain and Romania aswell, Poland is there thats why i was confused about Europe. So you should add all the countries in europe

No bounty yet received !

i have try your site, register and i have found this ,



maybe you can use NOREPLY email, so no one will reply to those mail.

also i found this,

 while i input wrong captcha the form that i have filled got blank form again.At the moment we register a site using the form , when there is an error ( eg, the desired user name is already used ) , then we returned to the original register page with an error message . If you notice , all the forms are pre-filled automatically repopulate so we do not need to input all the forms , but just fix the wrong section .

Form filled itself will greatly help the user to correct the wrong form field . Imagine if we fill out a form with 15 input box , only then forced to enter again all the input boxes for one fill date format on one input people will lazy to filled out the form again you can utilizing the $ _GET variable and headers function header.

seems a good site...its easy and smooth with using but i cant find the deposit or withdrawl button on my whole account...is it a bug or it is not set till now?and i cannt find any market too?otherwise it is cool..

I still waiting the payment, how much i will get for my reported bugs?