Topic: 🎄 FaucetSystem.com / CryptoBara.com 🎄 - page 15. (Read 37994 times)
i wanna try , help me
Code:
Owner of this faucet set a send limit, which was exceeded. Try again in 30 minutes.
+100k to balance
now i changed all faucetbox teyt to faucetsystem !
but when i try to withdraw i get :
but i set all limits to 0 !!!
kind regards
but when i try to withdraw i get :
Code:
Owner of this faucet set a send limit, which was exceeded. Try again in 30 minutes.
but i set all limits to 0 !!!
kind regards
@Cassielvandisse, check PM.
Some people think that current settings of Antibot is a very aggressive. Soon for every faucet:
Some people think that current settings of Antibot is a very aggressive. Soon for every faucet:
many transactions confrimations your sstem needs to show up my deposit in balance 
Now - 6.And minimum deposit - 75 000 sat.
I have claimed four times now. The first didn't work, the second didn't add anything, and the other two appear to have worked.
Are you never turn off your computer? 
I have claimed four times now. The first didn't work, the second didn't add anything, and the other two appear to have worked.
It takes about 4 hours for me after depositing . 
Just started using with faucetsystem yesterday .
Here is my faucet
http://mmsatoshicoin.ml/
Just started using with faucetsystem yesterday .
Here is my faucet
http://mmsatoshicoin.ml/
Your faucet appears to be working.
It takes about 4 hours for me after depositing .
Just started using with faucetsystem yesterday .
Here is my faucet
http://mmsatoshicoin.ml/
Just started using with faucetsystem yesterday .
Here is my faucet
http://mmsatoshicoin.ml/
wow ok how
many transactions confrimations your sstem needs to show up my deposit in balance
yust made a deposit to test service ......takse long time to test you XD
many transactions confrimations your sstem needs to show up my deposit in balance
yust made a deposit to test service ......takse long time to test you XD
Hi FaucetSystem,
Do we have your API links, where I can make HTTP post requests to make payments?
FaucetBox did have those.. In the dashboard I only see my API key no links or docs on API endpoints.
Do we have your API links, where I can make HTTP post requests to make payments?
FaucetBox did have those.. In the dashboard I only see my API key no links or docs on API endpoints.
They use the same as FaucetBOX.com.
Hi FaucetSystem,
Do we have your API links, where I can make HTTP post requests to make payments?
FaucetBox did have those.. In the dashboard I only see my API key no links or docs on API endpoints.
Do we have your API links, where I can make HTTP post requests to make payments?
FaucetBox did have those.. In the dashboard I only see my API key no links or docs on API endpoints.
Well.. i think that it's a good idea to report vulnerabilities but not publish the technical details to everyone..
People with working faucet bots don't come here and share their code right? (Or if they do they'll get deleted ass soon as mod find it)
my opinion
People with working faucet bots don't come here and share their code right? (Or if they do they'll get deleted ass soon as mod find it)
my opinion
There's a vulnerability in your handling of IP addresses.
The Ip::get() looks like this:
You're blindly trusting headers sent by user. So I can for example do:
And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.
Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.
The Ip::get() looks like this:
Code:
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
if($_SERVER['SERVER_ADDR']<>$ip){
return $ip;
}
}
}
}
}
return '127.0.0.1';
You're blindly trusting headers sent by user. So I can for example do:
Code:
curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...
And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.
Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.
Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here is a good idea..
It's not a bad idea, as long as the security flaw gets fixed. I, for one, love the transparency that Kaz is providing. It's rare to get support from such an expert, especially for free.
For now, it just means that the transparency shows that there are security flaws with FaucetSystem. Good to know so early on.
row 160
Its string erase answer. You can load postClaimThird with correct answer only one time. If you need receive a new correct answer - u need load postClaimSecond.
Code:
\Session::set('lc', md5(Secure::getRandomString(10)));I'm not convinced. That covers your "Logical captcha". What if owner disabled it and is only using reCaptcha/SolveMedia?
Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here is a good idea..
It's too early for it to have a big impact (it was released just a few hours ago) and these are so obvious that people have to be aware that there are serious security issues with FaucetSystem.com right now. And I also think it's good to show that the admin is open for reports and fixes them quickly. It's a good PR if he handles it correctly
There's a vulnerability in your handling of IP addresses.
The Ip::get() looks like this:
You're blindly trusting headers sent by user. So I can for example do:
And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.
Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.
The Ip::get() looks like this:
Code:
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
if($_SERVER['SERVER_ADDR']<>$ip){
return $ip;
}
}
}
}
}
return '127.0.0.1';
You're blindly trusting headers sent by user. So I can for example do:
Code:
curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...
And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.
Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.
Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here is a good idea..
row 160
Its string erase answer. You can load postClaimThird with correct answer only one time. If you need receive a new correct answer - u need load postClaimSecond.
Receiving ip address is painful issue.
Code:
\Session::set('lc', md5(Secure::getRandomString(10)));Receiving ip address is painful issue.
One more thing (sorry for spam).
I've checked the postClaimThird method in Guest controller, and it seems that you don't check if captcha was actually correctly solved in postClaimSecond. You don't store it in session anywhere and you don't check it in postClaimThird. That means that I can just record what request is made on postClaimThird and then send requests directly to it, skipping the postClaimSecond part. Combine that with blindly trusting user headers and I can:
1. bypass captcha
2. bypass timer (by changing to fake IP addresses)
3. bypass your antibot (by changing to fake IP addresses)
I didn't test it though, so I may missed some protection, but you should take a look at this.
EDIT: maybe focus on security, not features for now
I've checked the postClaimThird method in Guest controller, and it seems that you don't check if captcha was actually correctly solved in postClaimSecond. You don't store it in session anywhere and you don't check it in postClaimThird. That means that I can just record what request is made on postClaimThird and then send requests directly to it, skipping the postClaimSecond part. Combine that with blindly trusting user headers and I can:
1. bypass captcha
2. bypass timer (by changing to fake IP addresses)
3. bypass your antibot (by changing to fake IP addresses)
I didn't test it though, so I may missed some protection, but you should take a look at this.
EDIT: maybe focus on security, not features for now
There's a vulnerability in your handling of IP addresses.
The Ip::get() looks like this:
You're blindly trusting headers sent by user. So I can for example do:
And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.
Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.
Second: adding statistical analysis.
Thanks, we'll add it when integrating in Faucet in a BOX.
The Ip::get() looks like this:
Code:
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
if($_SERVER['SERVER_ADDR']<>$ip){
return $ip;
}
}
}
}
}
return '127.0.0.1';
You're blindly trusting headers sent by user. So I can for example do:
Code:
curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...
And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.
Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.
Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?
Yes. It's a first phase.Second: adding statistical analysis.
Thanks, we'll add it when integrating in Faucet in a BOX.
Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?
Yes. It's a first phase.Second: adding statistical analysis.
Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?
Jump to: