Pages:
Author

Topic: Can you hack my game? (Read 1907 times)

newbie
Activity: 50
Merit: 0
August 12, 2013, 09:12:41 AM
#27
Tried to register, "invalid captcha" :O
Where is the captcha?
newbie
Activity: 28
Merit: 0
August 11, 2013, 08:20:21 PM
#26
Yeah, you should still set an X-Frame-Options value to prevent a ClickJacking attack, because of the nature of the site (passwords and such).

To prevent the exploit: set X-Frame-Options to DENY in the HTTP header.



Fixed Smiley

Twitter Bootstrap, again? :p

Yes, Twitter Bootstrap is quick and easy, and looks decent, with great usability.
Will certainly be looking at upgrading the UI, but right now the aren't enough hands for this.
legendary
Activity: 1134
Merit: 1118
August 11, 2013, 06:22:33 PM
#25
Yeah, you should still set an X-Frame-Options value to prevent a ClickJacking attack, because of the nature of the site (passwords and such).

To prevent the exploit: set X-Frame-Options to DENY in the HTTP header.

full member
Activity: 168
Merit: 100
DATABLOCKCHAIN.IO SALE IS LIVE | MVP @ DBC.IO
August 11, 2013, 12:05:33 PM
#24
Twitter Bootstrap, again? :p
newbie
Activity: 28
Merit: 0
August 11, 2013, 10:50:55 AM
#23
I've just ran w3af on your URL.

-snip-

Hopefully this helps somewhat.

Matthew:out


There are no credit card numbers to expose.. Not a single credit card number is used anywhere.. What are you doing?

To be honest, I'm not massively sure about why w3af thought that was a credit card number. Maybe it just found something that matched a format for a credit card.

I suppose w3af only really turned up the potential ClickJacking attack.

I'd say the website is secure, but that's not for me to judge.

Matthew:out

Lol okay, i thought you were trolling Tongue I guess any 16-digit number looks like a CC number.
full member
Activity: 286
Merit: 100
August 11, 2013, 10:17:24 AM
#22
I've just ran w3af on your URL.

-snip-

Hopefully this helps somewhat.

Matthew:out


There are no credit card numbers to expose.. Not a single credit card number is used anywhere.. What are you doing?

To be honest, I'm not massively sure about why w3af thought that was a credit card number. Maybe it just found something that matched a format for a credit card.

I suppose w3af only really turned up the potential ClickJacking attack.

I'd say the website is secure, but that's not for me to judge.

Matthew:out
newbie
Activity: 28
Merit: 0
August 11, 2013, 08:12:19 AM
#21
Do you use socket.io? If yes, I'm probably able to crash your server.

by a flood attack?
newbie
Activity: 28
Merit: 0
August 11, 2013, 08:03:12 AM
#20
full member
Activity: 223
Merit: 100
August 11, 2013, 06:07:23 AM
#19
Tried to register, "invalid captcha" :O
Where is the captcha?

Same here.
newbie
Activity: 50
Merit: 0
August 11, 2013, 05:36:56 AM
#18
Tried to register, "invalid captcha" :O
Where is the captcha?
legendary
Activity: 1792
Merit: 1008
/dev/null
August 11, 2013, 05:30:46 AM
#17
haha, i knew its a skiddy Smiley

Sorry, but I don't come under the classification of "Script kiddy". Roll Eyes I built my own computer when I was 13. I do actually have quite a bit of experience in C family coding, I'm just very lazy. People make these tools for a reason, and who am I to insult the coders?

Quote from: 'Lucas Braesch'
I've always been convinced that laziness is the beginning of intelligence Grin

Matthew:out
in this case il take it back, excuse me Wink
full member
Activity: 286
Merit: 100
August 11, 2013, 04:18:55 AM
#16
haha, i knew its a skiddy Smiley

Sorry, but I don't come under the classification of "Script kiddy". Roll Eyes I built my own computer when I was 13. I do actually have quite a bit of experience in C family coding, I'm just very lazy. People make these tools for a reason, and who am I to insult the coders?

Quote from: 'Lucas Braesch'
I've always been convinced that laziness is the beginning of intelligence Grin

Matthew:out
vip
Activity: 1316
Merit: 1043
👻
August 11, 2013, 04:10:21 AM
#15
Do you use socket.io? If yes, I'm probably able to crash your server.
legendary
Activity: 1792
Merit: 1008
/dev/null
August 11, 2013, 03:44:43 AM
#14
haha, i knew its a skiddy Smiley
full member
Activity: 286
Merit: 100
August 11, 2013, 03:43:33 AM
#13
I've just ran w3af on your URL.

[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.serverHeader
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.allowedMethods
[Sun 11 Aug 2013 09:39:51 BST] Auto-enabling plugin: discovery.frontpage_version
[Sun 11 Aug 2013 09:40:00 BST] The page language is: en
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:00 BST] The uri parameter of xUrllib.POST() must be of urlParser.url_object type.
[Sun 11 Aug 2013 09:40:02 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:03 BST] "X-Powered-By" header for this HTTP server is: "Express". This information was found in the request with id 35.
[Sun 11 Aug 2013 09:40:03 BST] Found 1 URLs and 1 different points of injection.
[Sun 11 Aug 2013 09:40:03 BST] The list of URLs is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:03 BST] The list of fuzzable requests is:
[Sun 11 Aug 2013 09:40:03 BST] - http://www.bitstrat.com | Method: GET
[Sun 11 Aug 2013 09:40:03 BST] The web application sent a persistent cookie.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:05 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656"". This vulnerability was found in the request with id 31.

[Sun 11 Aug 2013 09:40:05 BST] The remote HTTP Server omitted the "server" header in its response. This information was found in the request with id 34.
[Sun 11 Aug 2013 09:40:12 BST] Password profiling TOP 100:
[Sun 11 Aug 2013 09:40:12 BST] - [1] BitStrat with 147 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [2] Game with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [3] document with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [4] function with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [5] facebook with 42 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [6] BITSTRAT with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [7] Service with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [8] Bitcoin with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [9] Strategy with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [10] toggle with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [11] connect with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [12] createElement with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [13] collapse with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [14] onload with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [15] Terms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [16] jssdk with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [17] script with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [18] currently with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [19] getElementById with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [20] xfbml with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [21] test with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [22] gamble with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [23] return with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [24] insertBefore with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [25] getElementsByTagName with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [26] Collective with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [27] Register with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [28] beta with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [29] Contact with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [30] appId with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [31] phase with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [32] using with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [33] navbar with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [34] bitcoins with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [35] parentNode with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [36] testnet with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [37] Rooms with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] - [38] Compete with 21 repetitions.
[Sun 11 Aug 2013 09:40:12 BST] The whole target has no protection (X-Frame-Options header) against ClickJacking attack
[Sun 11 Aug 2013 09:40:12 BST] The cookie: "connect.sid=s%3Amb-3-WU9cVSUZVROGdw2TXbR.VGE8WR4XstVwdYu7Y04ws8GRQXIr4XnLtRiTGhaKghffuI3GGmUz4lkwLG3v6KvKUEPoH%2FeKQ2HgMp%2BeRYdS2A; Path=/; Expires=Mon, 12 Aug 2013 08:39:52 GMT" was sent by these URLs:
[Sun 11 Aug 2013 09:40:12 BST] - http://www.bitstrat.com
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 1.
[Sun 11 Aug 2013 09:40:12 BST] The URL: "http://www.bitstrat.com/" discloses the credit card number: "***********7656". This vulnerability was found in the request with id 31
.
[Sun 11 Aug 2013 09:40:12 BST] Scan finished in 20 seconds.

Hopefully this helps somewhat.

Matthew:out
full member
Activity: 286
Merit: 100
August 11, 2013, 03:36:14 AM
#12
Straight away I have found a bug in the register field. It seems to want a captcha solving, which is in fact not there.

I'm using Chromium 28 on Ubuntu Linux.

Matthew:out
newbie
Activity: 28
Merit: 0
August 10, 2013, 01:50:18 PM
#11
I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out

Yes white hack away Smiley
newbie
Activity: 28
Merit: 0
August 10, 2013, 01:44:13 PM
#10
I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out
DoS (not DOS) != hacking, skiddys...

DoS flood attacks are pretty much unavoidable.. The DoS protection that exists on there now is that game states are auto-saved, and so if server goes down, nothing is lost. Games get paused at the precise state they were at.

By hacking I mean, well, try to find an exploit where you somehow get free coins, or transactions don't occur properly, xss, or somehow break the server, gain access to people's accounts, etc.
legendary
Activity: 1792
Merit: 1008
/dev/null
August 10, 2013, 01:26:43 PM
#9
I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out
DoS (not DOS) != hacking, skiddys...
full member
Activity: 286
Merit: 100
August 10, 2013, 12:53:11 PM
#8
I'd attempt a ping flood DOS, but I doubt my ISP is going to be impressed.

Can I claim white hat hacking?

Matthew:out
Pages:
Jump to: