1Broker.com - Vulnerabilty & bug bounty

exxe

full member

Activity: 187

Merit: 100

Quote from: spudy12 on April 12, 2013, 07:54:19 PM

Activation email ends up in the spam folder, for hotmail and gmail anyway..

Found the problem: DNS SPF record only allows the IP address of 1broker.com to send mails, but 1broker.com does not resolve into an IPv6 address and postfix used IPv6 to send mails.

This was a tricky one. Tongue

Tekkna

member

Activity: 70

Merit: 10

OP seems to know what he's doing, I doubt there are any bugs in it right now.

The only mistakes so far are small English grammar errors.

exxe

full member

Activity: 187

Merit: 100

Quote from: Remember remember the 5th of November on April 16, 2013, 12:28:25 AM

Well if there's a bug, a security hole then obviously it's not really secure. But don't misinterpret my post. You shouldn't hide if you have security holes, but accept it and fix them Wink

.

I don't want to hide something, but what the user is saying is not true.
The thing is that we don't even use XML or XPath.

I suspect that he ran the Acunetix security scan and the software found these structures as a potential vulnerability (which are obviously false positives):
https://1broker.com/?c=password_forgotten1
https://1broker.com/?c=password_forgotten2

and

https://1broker.com/?c=register
https://1broker.com/?c=register2
https://1broker.com/?c=register3

Nothing to fix here.

best regards.

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Quote from: exxe on April 14, 2013, 06:01:32 PM

Thanks for your input spudy12.

I've updated the mail functions so hopefully it works now. I also changed the description for the gold CFD.

Quote from: BitCoins06 on April 13, 2013, 04:13:20 AM

Hi , i find 2 Xpath Injection

on https://1broker.com/?c=password_forgotten1
&
https://1broker.com/?c=register

I will provide the parameter (the exploit) via PM for more info

My Wallet

16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK

I've not received a PM from you. In general I would be really surprised if you find a vulnerability in this area.
Even if you found a bug, it is necessary to report it privately, if you want a reward. (and publish no details before warning me (this should be obvious))

Don't get me wrong, but such posts can destroy our image of a secure trading platform. You should remove it.

best regards.

Well if there's a bug, a security hole then obviously it's not really secure. But don't misinterpret my post. You shouldn't hide if you have security holes, but accept it and fix them Wink

.

exxe

full member

Activity: 187

Merit: 100

Thanks for your input spudy12.

I've updated the mail functions so hopefully it works now. I also changed the description for the gold CFD.

Quote from: BitCoins06 on April 13, 2013, 04:13:20 AM

Hi , i find 2 Xpath Injection

on https://1broker.com/?c=password_forgotten1
&
https://1broker.com/?c=register

I will provide the parameter (the exploit) via PM for more info

My Wallet

16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK

I've not received a PM from you. In general I would be really surprised if you find a vulnerability in this area.
Even if you found a bug, it is necessary to report it privately, if you want a reward. (and publish no details before warning me (this should be obvious))

Don't get me wrong, but such posts can destroy our image of a secure trading platform. You should remove it.

best regards.

BitCoins06

newbie

Activity: 49

Merit: 0

Hi , i find 2 Xpath Injection

on https://1broker.com/?c=password_forgotten1
&
https://1broker.com/?c=register

I will provide the parameter (the exploit) via PM for more info

My Wallet

16J42BqVdfmgjwJb6LZkxy9uv4duTtwHzK

spudy12

newbie

Activity: 46

Merit: 0

Activation email ends up in the spam folder, for hotmail and gmail anyway..

activation email link says invalid if opened from another tab, however if you go back to original tab you can sign in - just thought i'd point this out.

when you type in the amount to withdraw, it goes green whatever amount regardless of weather you have the funds or not.. not exactly a bug but could be confused by some people?

possibly a theme on twitter that better matches your websites? (website one is really cool by the way, looks very professional)

On the cfd's page (https://1broker.com/?c=cfds) next to gold you have this

Quote

Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts since long before the beginning of recorded history.

Doesn't quite read right for me, possibly something like this is better..

Quote

Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts since the beginning of recorded history.

OR

Quote

Gold has been a valuable and highly sought-after precious metal for coinage, jewelry, and other arts long before the beginning of recorded history.

apart from that, looks and feels like a very professional site.

exxe

full member

Activity: 187

Merit: 100

Quote from: Dron007 on April 12, 2013, 05:19:07 PM

There is one more minor thing. One can use SQL LIKE template characters in the search field (% and _). It is more like a feature but as it is not documented somebody could think search is working not as expected, entering '100%' but receiving same as for '100'.

Yeah, I'll leave it as it is.

Quote from: starsoccer9 on April 12, 2013, 05:41:46 PM

found a problem relating to having a negative balance,

This is working as intended. Leveraged positions which stay open overnight/over the weekend can be force-closed with negative values and can therefore lead to negative account balances. We can't/won't force people to give us the Bitcoins they owe us, but if they want to use 1Broker again they have to. (Double accounts violate the TOS)

starsoccer9

legendary

Activity: 1630

Merit: 1000

found a problem relating to having a negative balance,

Dron007

newbie

Activity: 25

Merit: 0

Quote from: exxe on April 11, 2013, 02:05:37 PM

Will be fixed in the next update. Since this statistically only causes a small bug in every 4500^th registration I hope you are okay if I don't pay a reward for this. Tongue

Ok. That's is really a minor problem. There is one more minor thing. One can use SQL LIKE template characters in the search field (% and _). It is more like a feature but as it is not documented somebody could think search is working not as expected, entering '100%' but receiving same as for '100'.

exxe

full member

Activity: 187

Merit: 100

Quote from: marticps on April 11, 2013, 06:18:26 PM

Also, you should avoid the use of presentation tags in HTML, since you should use the HTML only for semantics and CSS for presentation.

Yes, I'm aware that the website is far from perfect in this area. I will work on this a little bit, but there is simply not enough time to to make this how it should be (at least not in the near future).

marticps

member

Activity: 102

Merit: 10

About UI, you should edit a bit the CSS. You should add ALT attribute in the images in order to help textual browsers, search engines... and improve accessibility (that's very important).

Also, you should avoid the use of presentation tags in HTML, since you should use the HTML only for semantics and CSS for presentation.

Here's two lists of design errors you have on your website:
http://validator.w3.org/check?uri=https%3A%2F%2F1broker.com%2F&charset=%28detect+automatically%29&doctype=Inline&group=0
http://try.powermapper.com/Reports/7a211e9d-1ed9-4b5b-8194-7da9afccb2ae/report/map.htm

For me, the most important ones are the following (some of them are repeated):

Line 1045, Column 102: An img element must have an alt attribute, except under certain conditions. For details, consult guidance on providing text alternatives for images. In this case, the social networks buttons and the site seal, it is really important!
Don't use generic link labels like "click here" or "read more" because they're hard to tell apart when users scan a page.
The form has fields without a LABEL or TITLE attribute.
The page has no H1 tag.
Line 987, Column 8: The center element is obsolete. Use CSS instead. All presentation tags should be in CSS.
Line 1135, Column 71: The value of the border attribute on the table element must be either 1 or the empty string. To regulate the thickness of table borders, Use CSS instead.

All these errors you have in the website design will make you have a lower Google rank and will difficult users to navigate through the site. (Most of the errors are about accessibility and SEO).
Hope I helped you. BTW, if you need help in web design, I can help you. To see some references check the website on my profile.

Tekkna

member

Activity: 70

Merit: 10

Yeah, I didn't put too much stock in the scan, but worth a guess I suppose

It's not a killer bug, and everything functions properly still, just slightly annoying.

exxe

full member

Activity: 187

Merit: 100

Quote from: Tekkna on April 11, 2013, 03:17:27 PM

1024x768 is my monitor resolution (I think that's really skinny for monitors, but still, would prepare you for mobile users).

Received payment from exxe successfully

Thank you, I am willing to provide any help you need.

Also, were my scans correct in guessing that you are using >Postgre 8 on a nginx server?

Okay, maybe I will look into the resolution problem, but don't expect too much. A mobile app is on the TODO list anyway.

Nginx is easy to see (https://1broker.com/404), but the PostgreSQL guess is wrong. Cheesy

Tekkna

member

Activity: 70

Merit: 10

Quote

Whiteknight already agreed to help, but I will keep you in mind in case I need advice from multiple people.
Concerning the cut offs: Can you tell me what your screen resolution is?

1024x768 is my monitor resolution (I think that's really skinny for monitors, but still, would prepare you for mobile users).

Received payment from exxe successfully

Thank you, I am willing to provide any help you need.

Also, were my scans correct in guessing that you are using >Postgre 8 on a nginx server?

exxe

full member

Activity: 187

Merit: 100

Quote from: Tekkna on April 08, 2013, 09:03:24 PM

I would also be interested in re-writing text (Unless, of course, Whiteknight gets the position) I am a native English speaker, and used to do something similar for Japanese speakers in a language exchange (I help fix their English, they fix my Japanese).

I suppose for an example of my work you could see the amazon gift codes I'm selling in my signature.

NOTE: Some of these are probably not exactly worth a bounty, but still a good idea to change, I may post more after my account is verified.

Something I notice quite a bit recently, is the lack of liquid layouts, my screen isn't that small, but I get some cut off for some reason:
[...]

Whiteknight already agreed to help, but I will keep you in mind in case I need advice from multiple people.
Concerning the cut offs: Can you tell me what your screen resolution is?

Thanks for the problems reported. These things will be fixed with the next update.

Sent 0.025 BTC to 1AKtor49AFFHF8kVH4SAgd23eTPVy91iDB

Quote from: sega01 on April 09, 2013, 11:33:01 AM

Not sure how serious this is, but it looks like your bitcoind is listening on port 8333 (default) for incoming Bitcoin-esque connections. It's said that it's much easier to double spend when someone connects directly to your node and another at the same time.

On my DNS tunnel service, I have the daemon setup like this, to only connect out: bitcoind -noupnp -par=1 -daemon -nolisten. Granted, I'm not quite sure how relevant this for your environment. Not sure why you have portmapper open or port 41689, either.

Let me know what you think. Best of luck with the service!

Since, we do not accept 0-conf transactions there should be no big problems with double spending.
The open portmapper port is indeed strange and I've contacted the support who told me that this was part of their default configuration upon server setup.
Nevertheless, the port is now closed.

Quote from: Dron007 on April 10, 2013, 07:20:55 PM

There is Mater Key at the registration form. Looking at the JavaScript code I can see that validation will fail if key is exactly equal to 10000 or to 99999. But these values can be generated by the random generator. So the code should be changed to the following:

Will be fixed in the next update. Since this statistically only causes a small bug in every 4500^th registration I hope you are okay if I don't pay a reward for this. Tongue

Quote from: Remember remember the 5th of November on April 10, 2013, 07:36:26 PM

At OP,

Not really a big deal, but when I entered some invalid characters I got greeted by a blank page with a red box with an error message, but when done to this URL, the error message appears ontop of the normal page, with no footer.

https://i.imgur.com/OFnkrKN.png

This is known and a result of our code structure and error handling. Since a "normal" user won't see such things there is no need to fix this, imho.

Thank you all!

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

At OP,

Not really a big deal, but when I entered some invalid characters I got greeted by a blank page with a red box with an error message, but when done to this URL, the error message appears ontop of the normal page, with no footer.

https://i.imgur.com/OFnkrKN.png

Dron007

newbie

Activity: 25

Merit: 0

There is Mater Key at the registration form. Looking at the JavaScript code I can see that validation will fail if key is exactly equal to 10000 or to 99999. But these values can be generated by the random generator. So the code should be changed to the following:

if (!(document.getElementById("masterkey").value >= 10000 && document.getElementById("masterkey").value <= 99999)) {
document.getElementById("error").innerHTML+="- Please generate a Master Key!
";
ok = false;
}

instead of

if (!(document.getElementById("masterkey").value > 10000 && document.getElementById("masterkey").value < 99999))
...

sega01

sr. member

Activity: 391

Merit: 333

Not sure how serious this is, but it looks like your bitcoind is listening on port 8333 (default) for incoming Bitcoin-esque connections. It's said that it's much easier to double spend when someone connects directly to your node and another at the same time.

On my DNS tunnel service, I have the daemon setup like this, to only connect out: bitcoind -noupnp -par=1 -daemon -nolisten. Granted, I'm not quite sure how relevant this for your environment. Not sure why you have portmapper open or port 41689, either.

Let me know what you think. Best of luck with the service!

Cheers,
Teran

Tekkna

member

Activity: 70

Merit: 10

I would also be interested in re-writing text (Unless, of course, Whiteknight gets the position) I am a native English speaker, and used to do something similar for Japanese speakers in a language exchange (I help fix their English, they fix my Japanese).

I suppose for an example of my work you could see the amazon gift codes I'm selling in my signature.

NOTE: Some of these are probably not exactly worth a bounty, but still a good idea to change, I may post more after my account is verified.

Something I notice quite a bit recently, is the lack of liquid layouts, my screen isn't that small, but I get some cut off for some reason:

Quote

https://1broker.com/?c=about_fees
There are no hidden fees whatsoever. Everything we charge from you is listed on this page.

to

Quote

There are no hidden fees whatsoever, everything we charge is listed on this page

charge from you -> charge you
You use a lot of periods, when the sentence would be more fluid with commas.

Quote

We profit from the spread, the difference between the bid and ask price. This means you will usually start with a very small initial loss, when a new position is openend.

to

Quote

We profit from the spread, the difference between the bid and ask price. This means you will usually start with a very small loss, when a new position is opened.

openend -> opened
very small initial loss -> very small loss | Redundant

Quote

You can contact us via email:
[email protected]

Administrative stuff, technical questions, bug and feature requests send to:
[email protected]

You may not want to use "Administrative stuff", stuff is informal (although, some sites are going for a very informal approach in their documentation)

https://1broker.com/?c=faq

Quote

1Broker offers a service where you can trade for live market-prices

to

Quote

1Broker offers a service where you can trade for live market prices

No dash in market-prices

In the account sign up:

Quote

If you don't click on the confirmation link your account gets deleted in the next few days.

to

Quote

If you don't click on the confirmation link within 2 days, your account will be terminated.

More professional (includes time frame, more formal language)

When unverified:

Quote

Your account is currently blocked!

to

Quote

Your account has not been verified!

Topic: 1Broker.com - Vulnerabilty & bug bounty (Read 7496 times)