Pages:
Author

Topic: [Hack-A-Thon: Round 2 ended] Hack my site - page 3. (Read 24419 times)

legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 17, 2011, 07:07:01 PM
#31
Hacking has started everyone that has RSVP'd I've sent the details to start the hacks. I will be creating some fake customer accounts.

Good Luck Have fun!
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 17, 2011, 11:10:25 AM
#30
Okay everything should be operational doing some last minute touches on product reviews and rating system. Hack-A-Thon will begin at 12PST and I'll PM everyone when its ready to start

*Edit: I meant to put everything should be operation except for the forgot password because it involved mail and getting mail to send and receive is like the devil trying to get to heaven(It can happen but its going to take a lot of work! PUN INTENDED)

*Update:
I will be setting the cost of all the products to about .01 BTC this way testers can try out the shopping cart system and see if there are any vulnerabilities in that.
There is a Store Credit section in the account details if you want your BTC back just type in your return address and press the "Request Refund" button and I'll send you your "Store Credit" back. It will tell you "Please allow 2-3 days for your refund." This won't be true during testing times I'll send it back to you as soon as I see the request but shouldn't be a big deal how soon you receive it since were dealing with .01BTC's here.

Tip:Looking for security flaws and bugs.


(It willl be another 2 more hours from 12:31PM PST I just realized i didn't patch up somthing)
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 16, 2011, 02:54:04 PM
#29
Forgotten password won't be available for testing tomorrow. I'm still trying to figure out how to get mail to send correctly. As well as set up the receiving end
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 14, 2011, 12:18:10 PM
#28
Edited OP for payment details I've decided.
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 14, 2011, 12:09:55 PM
#27
Start Date: August 17th
12 in the afternoon PST.

Use this thread to report bugs. Smiley
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 14, 2011, 07:52:11 AM
#26
Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.

Thankfully I only have a few forms most of which everything required a #id number so they were semi safe if the attacker could guess the #id number of the shopping cart they wanted to control but I did have to do some token work on account details so packages won't get shipped in the wrong place Wink
full member
Activity: 140
Merit: 100
August 13, 2011, 07:46:52 PM
#25
Thanks for the bounty!  Glad I could help!

Send me another PM if you need some more help with this....but once you understand it, it's simple to fix...albeit tedious since you have to examine and fix every form post and action URL your users have access to.
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 13, 2011, 11:11:51 AM
#24
The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.





wow!? This is a crazy type of attack, I must get back to work Wink
full member
Activity: 140
Merit: 100
August 13, 2011, 10:45:38 AM
#23
The link not necessarily has to be on your site...because we all use these forums, I could put a link on the forum..and if someone is logged into your site when they click the link I post here...they can get goxed if your site isn't xsrf safe..

Or, I could post an image here...but the image isnt an image, but a URL instead.  The image will look broken, but as soon as the person's browser tries to fetch it, they trigger the URL with the xsrf...no need to click on a link at all.

That's why its dangerous....cuz the attack doesn't have to come from your site...the user just needs to be logged in to your site.



legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 13, 2011, 10:24:11 AM
#22
And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html





Thanks for this very informative article, I will be researching it to the line, It's crazy the things people come up with to hack something. Cheesy

Edit so As long as I don't allow any links to other websites I'm thinking I should be good.
full member
Activity: 140
Merit: 100
August 13, 2011, 09:09:26 AM
#21
And that's why XSRF is so dangerous because it's it's not intuitive how they work.

You will have to take special care to avoid them.

If a user is logged into my site and your site at the same time, I can get your user to perform any action I want if you're not protected.

A common way to prevent this type of attack is to include a hidden form field in your forms that includes a random token.  Also save this token as a HttpOnly cookie.  When you process the POST response, check that the hidden form field token equals the token set in the user's cookie.  You can also save the token in a database instead of a cookie if you prefer that route.

Some say that simply checking the referrer can stop this attack, but referrer can be spoofed and some secure browsing modes don't send a referrer at all.

It's hard to find good information on this topic..most of it just seems too nerdy and unnecessary because this attack isn't used much....but if there is a hole..especially in a bitcoin related site, you can guarantee someone will find it.

This is somewhat of a good article...but even if you read the comments, some people still don't get it....XSRF isn't XSS at all.  http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html



legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 13, 2011, 08:08:46 AM
#20
Smiley  How's your site coming along anyway?

I just finished patching my XSRF holes Kokjo was kind enough to rub in my face.  Smiley  Don't forget those!  They can be nasty buggers!  Even nastier than a XSS bug because the danger is subtle and may not even be obvious at first.

Wow haven't heard of those attacks yet, I'm not entirely sure I'm covered but the measure I have taken before reading about that kind of attack is this.
I sha512 hash the cookie authentication similar to mining farm except I have removed the annoying 30 minute session limit that was in mining farm you can browse as long as your active for up to an hour of inactivity. I'm hoping that should be enough. I'll give you guys a hint on the frame work for the hashing value.....
Quote
user_ip_address.randomly_generated_secret.user_unhashed_password.auto_updating_ expiration_timestamp

Pseudo code looks something like this
Quote
$CookieIp.$CookieSecret.$Password.$ExpireTimestamp

At the time of writing this, I'm finishing up the last touch and that is user reviews. I hope to start the hack-a-thon on Monday, 15th of August. Cheesy

Edit: all this got me thinking, I'm rewriting the login code to constantly randomly generate a "secret" every-time a page is refreshed just to make it super extra session-hijacking safe

Edit2: I think I'll give some more hints to the people: I have changed my root MySql user name that mysql runs on(wont disclose what the username is) and I have the actual website running through a jailed user, there is no phpMyAdmin(to prevent bruteforce attacks on that), and I've changed my root user name login through SSH. I think I got everything covered as far as securing the actual box, I hope some hackers can prove me wrong Wink
full member
Activity: 140
Merit: 100
August 13, 2011, 07:45:51 AM
#19
Smiley  How's your site coming along anyway?

I just finished patching my XSRF holes Kokjo was kind enough to rub in my face.  Smiley  Don't forget those!  They can be nasty buggers!  Even nastier than a XSS bug because the danger is subtle and may not even be obvious at first.
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 13, 2011, 07:12:47 AM
#18
I'm just waiting for the day I find someone to hack who has one of those 3D printers.  I'd hack it and program it to make a zombie robot and have it attack the guy while he's sleeping and steal his mining rigs and all his bitcoinz!


A glimspse t future hacking endevours....
Hide yo bitcoins,hide yo wife.... Run and tell that, run and tell that, home boy ,'home boy
full member
Activity: 140
Merit: 100
August 13, 2011, 04:57:15 AM
#17
I'm just waiting for the day I find someone to hack who has one of those 3D printers.  I'd hack it and program it to make a zombie robot and have it attack the guy while he's sleeping and steal his mining rigs and all his bitcoinz!

member
Activity: 62
Merit: 10
August 12, 2011, 09:52:00 AM
#16
Ok.  I'm ready when you say go!

legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 12, 2011, 07:07:18 AM
#15
Yes brandon@sourcewerks, Everything is open for hacking. The exception is anything that could be done to damage my servers hardware, or anything that is irreversible is not allowed. If you think you know of a flaw that would cause such disaster please let me know the steps to come to this conclusion.

Other then that I want everyone to basically just de-face the $*&^T out of my website. You know the kind of attacks you see about when a hacker gets access they usually throw up some swastikas and then scribble latin satan chants overlying the logo. Scince my website is not public(officially) I don't think any consumers are aware of the website either way yet so like i said de-face it!!!! Make people purchase stuff(will implant fake customer accounts just for the sake of proper testing, some will have shipped items, purchased items, items waiting to be purchased,etc, etc). Heres another good idear Hack into my database and  set all paid transaction required to be payed again... go Crazy!!!!^%%#@!! with teh hax!!

Hackthissite.org has a really good hacking philosophy (http://www.hackthissite.org/pages/info/billofrights/)

it says
Quote
2. Users are allowed to explore Hack This Site in search of security holes, bugs, etc. provided that they do not exploit them for destructive purposes. We encourage people to 'hack this site' but we ask that they leave the website up for others to benefit and learn from. More information about hacking this site available here. We ask that you submit a bug report if you do find one.

I hope that clears this up for everyone as I've been thinking about the rules and fine lines my self over the past couple of days, its hard to say "hack my site but don't destroy it" its kind of contradictory but I hope this explains everything.

I don't think there will be any media coverage for Bitcoin convention so I figured I'd let all the bitcoiners that can't make it to the convention be able to pass the time with some hacking? I was thinking the start date 17th and then length of the hackings will go on as long as they must.
member
Activity: 62
Merit: 10
August 11, 2011, 03:58:13 PM
#14
Xenland,

I'll take a crack at it as well.  Just shoot me a PM with the details when you are ready.

And just to be clear, all avenues are open to the hack (minus DDOS obviously)?
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
August 11, 2011, 01:51:26 PM
#13
Thinking about starting early I'm just doing some touch up's and just messing around on the site to see if i can just randomly break it.
newbie
Activity: 46
Merit: 0
August 06, 2011, 03:45:58 AM
#12
I'd be glad to test you're site for vulnerabilities, just hit me up when it's ready.
Pages:
Jump to: