Pages:
Author

Topic: [CLOSED] ZIGGAP crowd sourced security auditing. 80.5 BTC in potential winnings! (Read 2470 times)

member
Activity: 85
Merit: 10
1h79nc
And purchase another server to run ejabberd on for frontend.ziggap.com. Smiley Unless that's part of the service somehow.

Ssh should be using /etc/hosts.allow.  no reason to let every IP connect to it.
You could also set up a service like OpenVPN (UDP + drops any packets that don't have the HMAC = very good stealth) and then SSH & XMPP inside the VPN so there are no TCP ports open to the outside world except 80 and 443.

Surface area, etc.
legendary
Activity: 2072
Merit: 1001
Ssh should be using /etc/hosts.allow.  no reason to let every IP connect to it.
member
Activity: 117
Merit: 100
Life is short, play long
Not a security flaw, but bug:
Go to Buy Bitcoins -> Select nothing ("Select payment method") -> Enter address (12gKdNCYoEZ9SfnRkiouNJV2QrCdyC8ooD) -> Error page "Bad gateway"

Edit: and please include "labels" for the textboxes, I had to look in the source which field is for what (IE)...

The text boxes have labels in them, until you click in the text box and start typing.

I understand what you mean, I see them in the source however they not show up in my Internet Explorer...

EDIT; see screenshot below
BCB
vip
Activity: 1078
Merit: 1002
BCJ
Not a security flaw, but bug:
Go to Buy Bitcoins -> Select nothing ("Select payment method") -> Enter address (12gKdNCYoEZ9SfnRkiouNJV2QrCdyC8ooD) -> Error page "Bad gateway"

Edit: and please include "labels" for the textboxes, I had to look in the source which field is for what (IE)...

The text boxes have labels in them, until you click in the text box and start typing.

they have "placeholders" not "labels"
member
Activity: 87
Merit: 10
Not a security flaw, but bug:
Go to Buy Bitcoins -> Select nothing ("Select payment method") -> Enter address (12gKdNCYoEZ9SfnRkiouNJV2QrCdyC8ooD) -> Error page "Bad gateway"

Edit: and please include "labels" for the textboxes, I had to look in the source which field is for what (IE)...

The text boxes have labels in them, until you click in the text box and start typing.
member
Activity: 117
Merit: 100
Life is short, play long
Not a security flaw, but bug:
Go to Buy Bitcoins -> Select nothing ("Select payment method") -> Enter address (12gKdNCYoEZ9SfnRkiouNJV2QrCdyC8ooD) -> Error page "Bad gateway"

Edit: and please include "labels" for the textboxes, I had to look in the source which field is for what (IE)...
legendary
Activity: 1554
Merit: 1021
Quote
Orders must be performed by a person under 100 years old

LOL
member
Activity: 87
Merit: 10
No security issues found so far, however several people have tried to reset our Google Apps password.

This type of hacking is tough...

We also have two factor auth on any sensitive Google Apps accounts, all our our systems use full HDD encryption, and we take every possible step to ensure anything access the administrative sections of our system (or any sensitive information at all for that matter) are absolutely secure.

Even if someone broke in to our car or house there is nothing they would be able to steal that would give them access to anything sensitive.
legendary
Activity: 2072
Merit: 1001
No security issues found so far, however several people have tried to reset our Google Apps password.

This type of hacking is tough.

First, a brand new linux install. No one is going to share an openssh bug for remote access for this type of money.
Let alone any webserver bug for remote access (apache/nginx). So getting in remotely the "old fashioned" way is
nigh impossible. Based on a quick scan I recall only seeing 3 ports being opened and reachable. The rest are firewalled.

Now lets talk about your website's code. It is a very simple design. The amount of pages is very small and that makes
for fewer opportunities compared to a large website with many things going on. I wanted to "buy" some bitcoins but
due to a typo in my first try it seems like it locked me out for some unknown amount of time. That alone makes me
think anyone who wants to try sql injection better have some serious time on their hands because the code will
probably reject the attempts based on some value (IP address, cookie, whatever). So your attempts will just go in
the trash and miss the main parts of the code (guessing here).

I see that you used google for your incoming email. I guess your domain is setup with them or it is forwarded to a
server which blocks port 25 for everyone except google. Well hacking google is probably not a good idea to try ;-)
and one less port to talk to (postfix I imagine). For sending only. I see you mentioned resetting of the password
for google apps. Last I checked social eng of a google support person is needed to make that happen.
See here for the trouble it takes to do such a hack: http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app

So honestly.. the only real vector of attack that you are expecting is sql injection in my mind. And if the programmer
spent just a few hours validating user inputted data via code it will be impossible.

Unless of course you desire for the attacker to, well, attack you personally. Perhaps break into your apt/home and steal your
fricking PC. Maybe your company you work at is not as secure and you access your website from work. Perhaps you
have other projects going on that do not deal with bitcoins and are sitting on a server 5 years old. Maybe you keep something
juicy in your car. Etc... But I do not think anyone here wants to commit a felony crime for a few bucks let alone hunt you
down in this manner.

So I guess I am out of the hunt because the last major bug I found was years ago and that was for a local root.
I also think sql injection may be very time consuming to attempt based on my brief poking around last night.
member
Activity: 87
Merit: 10
No security issues found so far, however several people have tried to reset our Google Apps password.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
For any whitehats who don't want to use bitcoin, I will pay you for each of the remaining "flags" that you find.
legendary
Activity: 2072
Merit: 1001
man, made a typo when creating an order.. now making me wait forever to try again.
you should say how long a person has to wait.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
Can you post all the corresponding bitcoin addresses? Thanks

I'm not sure I understand your question. Which bitcoin addresses?

Ok, you say the secrets are hidden on your servers:

Quote
are several strings or "flags". All of these strings start with secret_

But the bitcoins are stored in bitcoin addresses derived from those, so sharing the addresses helps us see the bitcoins really exist and verify they we're really created from those "secrets" in the first place. Hope it helps.

Apologies, it looks like there is a miscommunication. You are not hacking into the bitcoin addresses themselves. At the moment only testnet BTC are stored in our hotwallet. For example, if you manage to compromise that hot wallet and locate the secret there (there's one hint for you), and explain to us how you did it, we will send you real BTC.

Now I understand how it goes, thanks
member
Activity: 87
Merit: 10
Can you post all the corresponding bitcoin addresses? Thanks

I'm not sure I understand your question. Which bitcoin addresses?

Ok, you say the secrets are hidden on your servers:

Quote
are several strings or "flags". All of these strings start with secret_

But the bitcoins are stored in bitcoin addresses derived from those, so sharing the addresses helps us see the bitcoins really exist and verify they we're really created from those "secrets" in the first place. Hope it helps.

Apologies, it looks like there is a miscommunication. You are not hacking into the bitcoin addresses themselves. At the moment only testnet BTC are stored in our hotwallet. For example, if you manage to compromise that hot wallet and locate the secret there (there's one hint for you), and explain to us how you did it, we will send you real BTC.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
Can you post all the corresponding bitcoin addresses? Thanks

I'm not sure I understand your question. Which bitcoin addresses?

Ok, you say the secrets are hidden on your servers:

Quote
are several strings or "flags". All of these strings start with secret_

But the bitcoins are stored in bitcoin addresses derived from those, so sharing the addresses helps us see the bitcoins really exist and verify they we're really created from those "secrets" in the first place.

Edit: Hope I understood correctly the terms.
legendary
Activity: 2072
Merit: 1001
found one. reported to you.

fcmatt found the 0.5 bitcoin string located in the terms of service.

I wasn't sure if anyone was actually going to read it.

Bitcoin address please?

18MjdXpTyek3ESTPc2HCQnATv1jY4acUeR

Lets see where the next might hide. I knew there would be low hanging fruit to start but the rest will be tougher.

Sent. TXNID c7381205d6120103fda2807f2ffdb4f107f2b413c46c7cb58fc3c36063c75a68

thank you.
member
Activity: 87
Merit: 10
Can you post all the corresponding bitcoin addresses? Thanks

I'm not sure I understand your question. Which bitcoin addresses?
member
Activity: 87
Merit: 10
found one. reported to you.

fcmatt found the 0.5 bitcoin string located in the terms of service.

I wasn't sure if anyone was actually going to read it.

Bitcoin address please?

18MjdXpTyek3ESTPc2HCQnATv1jY4acUeR

Lets see where the next might hide. I knew there would be low hanging fruit to start but the rest will be tougher.

Sent. TXNID c7381205d6120103fda2807f2ffdb4f107f2b413c46c7cb58fc3c36063c75a68
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
ZIGGAP LLC has entered into it's crowd-sourced security auditing phase. Up for grabs are BTC80.5  in possible winnings.

Hidden in multiple sensitive locations of ZIGGAP.com's website and servers are several strings or "flags". All of these strings start with secret_ . Each string is worth BTC10 . Except for one of them. It's significantly smaller. If you find it you'll know why.

If you locate any one of these strings just send us an email to [email protected] with the exact steps you took to compromise the server or site and the exact string which you located. The first person to send us a string gets the winnings for it.

D/DOS attacks will NOT qualify you for winnings. These are not security breaches.


Good luck.



-ZIGGAP

Can you post all the corresponding bitcoin addresses? Thanks
legendary
Activity: 2072
Merit: 1001
found one. reported to you.

fcmatt found the 0.5 bitcoin string located in the terms of service.

I wasn't sure if anyone was actually going to read it.

Bitcoin address please?

18MjdXpTyek3ESTPc2HCQnATv1jY4acUeR

Lets see where the next might hide. I knew there would be low hanging fruit to start but the rest will be tougher.
Pages:
Jump to: