Author

Topic: FREE Security audit for your company/website >>LIMITED TIME<< (Read 527 times)

member
Activity: 97
Merit: 10
Hey members of bitcointalk,

For a limited time (while I actually have the spare time), I'm willing to offer FREE security audits for your company or website. Security is vital in the technological age that we are in and it's better to fix them now before it severely impacts your company in the future. Companies such as Poloniex and Mt Gox were hit hard when hackers stole millions worth of bitcoins.

What do I provide?
  • Any vulnerabilities I find within your website.
  • Suggestions to fix vulnerabilities I find within your website.
  • Possible vulnerabilities within your website in the future.
  • Any points of weakness with the setup of your website.

Guarantees
  • Any vulnerabilities found will be sent back to you promptly and I can help you fix them if need be.
  • No information about security holes in your website will be published.
  • I DO NOT GUARANTEE I WILL FIND ALL SECURITY HOLES.

What I require from you
  • Proof of ownership of the website through one of the following:
    • Upload a page to the root directory of your website with the text "Free Security Audit 1084".
    • An email from the email listed on the whois of the website.

Of course some of you will be a bit sceptic on why I would bother doing this for free but I personally enjoy learning more about possible security holes in different kinds of sites and helping people resolve them before they become an issue. I also am currently studying this area in my college degree, however I've been interested and have participated in this area for many years. I personally also have an extensive background in PHP and .NET development so I'd be happy to look through code as well if need be.

Send me a PM with proof of ownership or post here and I'll get started ASAP!




Vouches on BitcoinTalk
Sent you a few errors that you may want to look at Wink.

Congrats and Thanks to PotatoPie on finding a Major Bug!

Vulnerabilities ^_^:
XSS (Cross site scripting) in the change seed thingie.
Code:
">
There is also no CSRF protection on this either.
Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607e

Possible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up.
-> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this.

Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000 Wink.
Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300

Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much.
-> Cloudflare would probably be good.

ill add a token and a sanitiser to the clientseed form today.

regarding the useramount. all calculations and processes are based on useramount. so if useramount is messed with. it doesnt really matter. it gets displayed. and is an inpit yes. but does not get processed

(havent watched videos yet, im on mobile atm) so ill adress those as soon as i can

pass length: your 100% right

ill add you to the list of rewards and ill reply regarding the videos when i gwt to the office.

thx

I can also provide off site proof if you would like to view that as well.
Jump to: