Topic: Can you hack my game? (Read 1869 times)

Fixed


Yes, Twitter Bootstrap is quick and easy, and looks decent, with great usability.
Will certainly be looking at upgrading the UI, but right now the aren't enough hands for this.

Yeah, you should still set an X-Frame-Options value to prevent a ClickJacking attack, because of the nature of the site (passwords and such).

To prevent the exploit: set X-Frame-Options to DENY in the HTTP header.

Twitter Bootstrap, again? :p

Lol okay, i thought you were trolling I guess any 16-digit number looks like a CC number.

To be honest, I'm not massively sure about why w3af thought that was a credit card number. Maybe it just found something that matched a format for a credit card.

I suppose w3af only really turned up the potential ClickJacking attack.

I'd say the website is secure, but that's not for me to judge.

Matthew:out

by a flood attack?

Same here.

Tried to register, "invalid captcha" :O
Where is the captcha?

in this case il take it back, excuse me

Sorry, but I don't come under the classification of "Script kiddy". I built my own computer when I was 13. I do actually have quite a bit of experience in C family coding, I'm just very lazy. People make these tools for a reason, and who am I to insult the coders?


Matthew:out

Do you use socket.io? If yes, I'm probably able to crash your server.

haha, i knew its a skiddy

I've just ran w3af on your URL.

[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.serverHeader
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.allowedMethods
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.frontpage_version
[Sun 11 Aug 2013 09:40:00 BST] The page language is: en
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:02 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:03 BST] "X-Powered-By" header for this HTTP server is: "Express". This information was found in the request with id 35.
[Sun 11 Aug 2013 09:40:03 BST] Found 1 URLs and 1 different points of injection.
[Sun 11 Aug 2013 09:40:03 BST] The list of URLs is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:03 BST] The list of fuzzable requests is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com | Method: GET
[Sun 11 Aug 2013 09:40:03 BST] The web application sent a persistent cookie.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 31.
[Sun 11 Aug 2013 09:40:05 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:12 BST] Password profiling TOP 100:
[Sun 11 Aug 2013 09:40:12 BST] - [1] BitStrat with 147 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [2] Game with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [3] document with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [4] function with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [5] facebook with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [6] BITSTRAT with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [7] Service with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [8] Bitcoin with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [9] Strategy with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [10] toggle with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [11] connect with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [12] createElement with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [13] collapse with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [14] onload with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [15] Terms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [16] jssdk with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [17] script with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [18] currently with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [19] getElementById with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [20] xfbml with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [21] test with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [22] gamble with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [23] return with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [24] insertBefore with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [25] getElementsByTagName with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [26] Collective with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [27] Register with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [28] beta with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [29] Contact with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [30] appId with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [31] phase with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [32] using with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [33] navbar with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [34] bitcoins with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [35] parentNode with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [36] testnet with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [37] Rooms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [38] Compete with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] The whole target has no protection (X-Frame-Options header) against ClickJacking attack
[Sun 11 Aug 2013 09:40:12 BST] The cookie: "connect.sid=s%3Amb-3-WU9cVSUZVROGdw2TXbR.VGE8WR4XstVwdYu7Y04ws8GRQXIr4XnLtRiTGhaKghffuI3GGmUz4lkwLG3v6KvKUEPoH%2FeKQ2HgMp%2BeRYdS2A; Path=/; Expires=Mon, 12 Aug 2013 08:39:52 GMT" was sent by these URLs:
[Sun 11 Aug 2013 09:40:12 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 31.
[Sun 11 Aug 2013 09:40:12 BST] Scan finished in 20 seconds.

Hopefully this helps somewhat.

Matthew:out

Straight away I have found a bug in the register field. It seems to want a captcha solving, which is in fact not there.

I'm using Chromium 28 on Ubuntu Linux.

Matthew:out

Yes white hack away

DoS flood attacks are pretty much unavoidable.. The DoS protection that exists on there now is that game states are auto-saved, and so if server goes down, nothing is lost. Games get paused at the precise state they were at.

By hacking I mean, well, try to find an exploit where you somehow get free coins, or transactions don't occur properly, xss, or somehow break the server, gain access to people's accounts, etc.

DoS (not DOS) != hacking, skiddys...

I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out