Pages:
Author

Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 5. (Read 7147 times)

sr. member
Activity: 861
Merit: 423
Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works

100bit.co.in is optimized for mobile view and CAPTCHA should behave the same way on laptop as well as on mobile.

In the country selection option why are there so little countries to chose from? And why it says europe as a country

We wanted to cover EURO as a currency and hence added Europe as a country. Once the technical glitches get fixed, more countries & currencies will be added gradually. If you find your country/currency is missing, you may inform us here. We will add it ASAP.
legendary
Activity: 1960
Merit: 1130
Truth will out!
Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?

i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection.

Yes, what I was saying is that the problem wasn't just on the buy-order text box or in the About me box from your site, it was on the support zone of 100bit.co.in, too  Cheesy



Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID.

Ok, now I tried to log-in with a random ID and the log-in form return only this message:
You have entered wrong login credentials or your account is not activated.

IMO, now it's ok, because then I logged in with the correct credentials and it's working.

Cheers!
sr. member
Activity: 861
Merit: 423
your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it.

1. 2FA might be implemented after some time. I would like to mention here that 100bit.co.in does not require your fund to stay deposited in any site wallet. User just need to deposit fund only when a trade is in progress. So, even if your account is compromised when you are not doing a trade, it will not financially affect you.

2. If you have registered an account, you need to authenticate it by clicking a link sent to your email ID. If you have forgot your password, you may recover it through your authenticated email ID.
sr. member
Activity: 861
Merit: 423

This is not a bug, but first of all, take a look to the "Lost you password" page. There's a mistake because it's Forgot Password and not Forgot Passowrd Cheesy (in the header and in the button).


Thanks for pointing out. Should be fixed by now.


Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form Wink

This is because you clicked the authentication link twice. We prefer to keep it this way, because if for some reason the mail function does not work in the first click, recipient can click it again to get his/her "Account Creation" mail.


Another thing:
If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning:


"The email address is already registered with us"
This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in.

As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account.

Can you please re-create this situation and PM me the login credentials for which you are facing this problem ? In fact, the ID is generated only after registration. At the time of registration, user can enter name & email ID.
newbie
Activity: 42
Merit: 0
ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw

did you checkd the error i told, will i get my bounty ?

Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ?

yes it looks fixed now, same page is there, so good now, waiting for bounty Wink
sr. member
Activity: 861
Merit: 423
ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw

did you checkd the error i told, will i get my bounty ?

Yes. There was a small glitch here, which is now fixed. You will get some bounty for finding this out. Can you please confirm that this issue is not appearing anymore at your end ?
newbie
Activity: 42
Merit: 0
did you checkd the error i told, will i get my bounty ?
sr. member
Activity: 861
Merit: 423
I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???

Yes... we already have reports of the XSS and SQL injection problem. Still we would like to know which SQL injection problem you have found. You may post here or PM.

It seems, no one has found any problem in order execution so far. Would like to hear about testing report of that part...
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
I found an xss in your website and maybe an sqli too..... So are there already reported and you are in process of patching those or they are not reported???
legendary
Activity: 3346
Merit: 3130

I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.



Hope to help you!  Tongue
Good luck 100bit team!

Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP.

Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?



http://i62.tinypic.com/vq5jlf.png

i'm talking about the "Preferred payment mode" input. franckuestein must be talking about that section too... but in the screenshot we see the ticket code injection.
newbie
Activity: 42
Merit: 0
ERROR FOUND !

http://www.100bit.co.in/recover.php

when you enter a email which isnt already exist ( no accout made using that ) then it says error, instead it should say , no account found with this email.

i get this page when i put a non-registered email - http://www.100bit.co.in/error404.php

btc address - 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw
sr. member
Activity: 861
Merit: 423

I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.



Hope to help you!  Tongue
Good luck 100bit team!

Thank you for your testing time. We are now aware of the existing XSS vulnerability on all the text box. All of them will be fixed ASAP.

Can you please tell us which buy orders text-box you mean here ? Is it the Preferred payment mode you are talking about ?
hero member
Activity: 1624
Merit: 645
In the country selection option why are there so little countries to chose from? And why it says europe as a country
legendary
Activity: 1960
Merit: 1130
Truth will out!
Hi devs and congrats for the site!
I was trying the most common things that a "normal" user would do with your site and I've found some interesting details.



This is not a bug, but first of all, take a look to the "Lost you password" page. There's a mistake because it's Forgot Password and not Forgot Passowrd Cheesy (in the header and in the button).


Then, once I registered my account I've received two direct messages on my mail account, you have to solve this automated messages problem. Maybe people receive more than one while they submit the registration form Wink

Another thing:
If you try to log-in with the ID that you wrote on the registration form and not with the ID specified on the email, you're going to see this warning:


"The email address is already registered with us"
This message it's the one that pops up in case that you try to register with an email address that's been registered before, not once you try to log-in.

As well, IMO users have to be able to log-in with their ID and not with the code (numbers) that they receive on their mail account.

And the last thing  Smiley
I've tried to put the simple code that @seoincorporation shared before and you can inject code while submitting a ticket to 100bit support. So that's a problem that there isn't just in the "About me" and buy orders text-box. Revise it to secure your webpage.



Hope to help you!  Tongue
Good luck 100bit team!
legendary
Activity: 3346
Merit: 3130
Find another one.

I can inject code in: http://www.100bit.co.in/order.php > Preferred payment mode (optional):



http://i62.tinypic.com/vq5jlf.png



http://i59.tinypic.com/wmf983.png

Make a test with http://cash.com">Cash, and in the second try i test with .

***UPDATE***

I can inject code in the Ticket support too...
legendary
Activity: 3346
Merit: 3130
Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.

I send you my addy in a PM. The problem i found:

1.-No captcha in the "Create a New Support Ticket"
2.-Can inject code on "http://www.100bit.co.in/settings.php > About me"

I make some test and dont find a vuln for xss

Code:
[usr@localhost ~]$ nmap -p80 --script http-stored-xss www.100bit.co.in

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-04 11:18 CST
Nmap scan report for www.100bit.co.in (104.28.29.49)
Host is up (0.071s latency).
Other addresses for www.100bit.co.in (not scanned): 104.28.28.49
PORT   STATE SERVICE
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

And about SQL injection im not sure.
hero member
Activity: 1624
Merit: 645
Im on the phone so i dont know if the site is optimized for mobiles im on iphone but everytime i login and i have to type the captcha it always says wrong captcha the first time then the second time it works, ive tried it 6 times and its always the same, the first time it says incorrect captcha then it works
full member
Activity: 168
Merit: 100
your site is looking great well i checked the site but i found no bug unfortunately and thts mean your site is out of bug . Above users ^^ found the bug further i cant find . as it is a buying selling platform you should add 2FA or something else . i see that it is not so protected . and the security level is too low. also i just registered my account but now i m unable to login dont know why . i dont know thats a bug or whats is it.
newbie
Activity: 55
Merit: 0
Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.

Thank you, btw the message from "seoincorporation" was sent after my PMs (listing more vulnerability and in details)
sr. member
Activity: 861
Merit: 423
Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.
Pages:
Jump to: