...
very nice sum up
i'd like to add: bitcoind which has access to funds should not run on the same machine as the webserver.
and if you use a salt dont reuse it
bitcoind will not be run on the same server
Topic: Hack me (reward) (Read 881 times)
very nice sum up
i'd like to add: bitcoind which has access to funds should not run on the same machine as the webserver.
and if you use a salt dont reuse it
bitcoind will not be run on the same server
...
very nice sum up
i'd like to add: bitcoind which has access to funds should not run on the same machine as the webserver.
and if you use a salt dont reuse it
Yup, in the interim you could always change the port numbers as well until you can upgrade your infrastructure. A quick fix would be to filter our the input characters: " ; ' - / * xp_ \ and %. In addition to that, you can redirect all your 40x error pages back to your login page. You usualy have to create the pages and then tell the webserver that you have those pages.
You might also want to capture the login ip address and then for x amount of failed logins, lockout that IP address by adding to the firewall as a block. This will help prevent against someone running a dictionary attack on your login code. You might want to add a timer or captcha after a failed login as well. In the error messages, don't distinguish between a failed username or password, I think you just display a generic error message which is good. If you decide on a password reset function, whether the email address exists or not, don't display an error message if someone submits a bad email address.
Netnames has a bad history of having some lax security for social engineering, if someone figures out your real name, they may attempt to contact them and social engineer a password reset on your vps account. What I usually tell people is to contact them in advance and tell them to deny all password and email change resets over the phone and call you back on your mobile phone. They have a notes field in their customer management systems (I think they use salesforce) so that your request gets honored. You might have to ask for a supervisor, but they will do it.
Lastly, you might want to throw in what I call a fake breadcrumb trail or Chum in your php/html. In the comments section of your login page, deposit, or withdrawal page, something that goes like this:
It won't fool everyone, but you can at least redirect some of the snooping elsewhere. I would also create a fake directory in the php directory called wallet and put a wallet.dat file in there with 0 btc in it or dust. That way if someone breaks in, they'll go for the easy target. You can then monitor the file for access or the wallet balance to see if it gets nabbed.
In your database, don't call the password field password, call it something else like indexing, etc and then dump in fake unencrypted passwords into the password field. I often create fake user, password, and email tables for my applications. That way, if someone steals the password database, they'll go for the low hanging fruit to buy yourself some time. Also, avoid MD5 and SHA1 for encryption, I'm sure you already know this, but just putting it out there. When you salt your passwords, don't store the salt in the config files. You can also write a function to scan for a specific account in there, like Admin and P@ssw0rd, so if someone uses them, you'll get some type of an alert and then a shutdown function so you know your username and password table has been compromised and powers down (or disables) the services preventing additional loss.
These tips are extremely helpful. Putting fake info in somewhere that isn't in plain site, but is easily accessible by a decent programmer would be very helpful, because they would spend hours on that ip. The fake mysql columns is also a great idea and I think I may use this in the final copy. The salts are generate different and are unique to each user, so there isn't one main salt. Currently I don't have incorrect password protection (since its still testsphase), but I will also add this. I also don't have any IP protection, and I think I will make the user re-login if the IP changes You might also want to capture the login ip address and then for x amount of failed logins, lockout that IP address by adding to the firewall as a block. This will help prevent against someone running a dictionary attack on your login code. You might want to add a timer or captcha after a failed login as well. In the error messages, don't distinguish between a failed username or password, I think you just display a generic error message which is good. If you decide on a password reset function, whether the email address exists or not, don't display an error message if someone submits a bad email address.
Netnames has a bad history of having some lax security for social engineering, if someone figures out your real name, they may attempt to contact them and social engineer a password reset on your vps account. What I usually tell people is to contact them in advance and tell them to deny all password and email change resets over the phone and call you back on your mobile phone. They have a notes field in their customer management systems (I think they use salesforce) so that your request gets honored. You might have to ask for a supervisor, but they will do it.
Lastly, you might want to throw in what I call a fake breadcrumb trail or Chum in your php/html. In the comments section of your login page, deposit, or withdrawal page, something that goes like this:
Code:
/* Hot wallet is located at fake.ip.address and rpc login is fakepassword on port fakeport. */
It won't fool everyone, but you can at least redirect some of the snooping elsewhere. I would also create a fake directory in the php directory called wallet and put a wallet.dat file in there with 0 btc in it or dust. That way if someone breaks in, they'll go for the easy target. You can then monitor the file for access or the wallet balance to see if it gets nabbed.
In your database, don't call the password field password, call it something else like indexing, etc and then dump in fake unencrypted passwords into the password field. I often create fake user, password, and email tables for my applications. That way, if someone steals the password database, they'll go for the low hanging fruit to buy yourself some time. Also, avoid MD5 and SHA1 for encryption, I'm sure you already know this, but just putting it out there. When you salt your passwords, don't store the salt in the config files. You can also write a function to scan for a specific account in there, like Admin and P@ssw0rd, so if someone uses them, you'll get some type of an alert and then a shutdown function so you know your username and password table has been compromised and powers down (or disables) the services preventing additional loss.
Yup, in the interim you could always change the port numbers as well until you can upgrade your infrastructure. A quick fix would be to filter our the input characters: " ; ' - / * xp_ \ and %. In addition to that, you can redirect all your 40x error pages back to your login page. You usualy have to create the pages and then tell the webserver that you have those pages. Like so: http://httpd.apache.org/docs/2.4/custom-error.html
You might also want to capture the login ip address and then for x amount of failed logins, lockout that IP address by adding to the firewall as a block. This will help prevent against someone running a dictionary attack on your login code. You might want to add a timer or captcha after a failed login as well. In the error messages, don't distinguish between a failed username or password, I think you just display a generic error message which is good. If you decide on a password reset function, whether the email address exists or not, don't display an error message if someone submits a bad email address.
Netnames has a bad history of having some lax security for social engineering, if someone figures out your real name, they may attempt to contact them and social engineer a password reset on your vps account. What I usually tell people is to contact them in advance and tell them to deny all password and email change resets over the phone and call you back on your mobile phone. They have a notes field in their customer management systems (I think they use salesforce) so that your request gets honored. You might have to ask for a supervisor, but they will do it. You can also help mitigate someone finding your hosts by using cloudflare to help mask some of your DNS lookup traffic, plus cloudflare has some DDoS features too for cheap. It's not foolproof, but it will keep the kiddies at bay.
Lastly, you might want to throw in what I call a fake breadcrumb trail or Chum in your php/html. In the comments section of your login page, deposit, or withdrawal page, something that goes like this:
It won't fool everyone, but you can at least redirect some of the snooping elsewhere. I would also create a fake directory in the php directory called wallet and put a wallet.dat file in there with 0 btc in it or dust. That way if someone breaks in, they'll go for the easy target. You can then monitor the file for access or the wallet balance to see if it gets nabbed.
In your database, don't call the password field password, call it something else like indexing, etc and then dump in fake unencrypted passwords into the password field. I often create fake user, password, and email tables for my applications. That way, if someone steals the password database, they'll go for the low hanging fruit to buy yourself some time. Also, avoid MD5 and SHA1 for encryption, I'm sure you already know this, but just putting it out there. When you salt your passwords, don't store the salt in the config files. You can also write a function to scan for a specific account in there, like Admin and P@ssw0rd, so if someone uses them, you'll get some type of an alert and then a shutdown function so you know your username and password table has been compromised and powers down (or disables) the services preventing additional loss.
You might also want to capture the login ip address and then for x amount of failed logins, lockout that IP address by adding to the firewall as a block. This will help prevent against someone running a dictionary attack on your login code. You might want to add a timer or captcha after a failed login as well. In the error messages, don't distinguish between a failed username or password, I think you just display a generic error message which is good. If you decide on a password reset function, whether the email address exists or not, don't display an error message if someone submits a bad email address.
Netnames has a bad history of having some lax security for social engineering, if someone figures out your real name, they may attempt to contact them and social engineer a password reset on your vps account. What I usually tell people is to contact them in advance and tell them to deny all password and email change resets over the phone and call you back on your mobile phone. They have a notes field in their customer management systems (I think they use salesforce) so that your request gets honored. You might have to ask for a supervisor, but they will do it. You can also help mitigate someone finding your hosts by using cloudflare to help mask some of your DNS lookup traffic, plus cloudflare has some DDoS features too for cheap. It's not foolproof, but it will keep the kiddies at bay.
Lastly, you might want to throw in what I call a fake breadcrumb trail or Chum in your php/html. In the comments section of your login page, deposit, or withdrawal page, something that goes like this:
Code:
/* Hot wallet is located at fake.ip.address and rpc login is fakepassword on port fakeport. */
It won't fool everyone, but you can at least redirect some of the snooping elsewhere. I would also create a fake directory in the php directory called wallet and put a wallet.dat file in there with 0 btc in it or dust. That way if someone breaks in, they'll go for the easy target. You can then monitor the file for access or the wallet balance to see if it gets nabbed.
In your database, don't call the password field password, call it something else like indexing, etc and then dump in fake unencrypted passwords into the password field. I often create fake user, password, and email tables for my applications. That way, if someone steals the password database, they'll go for the low hanging fruit to buy yourself some time. Also, avoid MD5 and SHA1 for encryption, I'm sure you already know this, but just putting it out there. When you salt your passwords, don't store the salt in the config files. You can also write a function to scan for a specific account in there, like Admin and P@ssw0rd, so if someone uses them, you'll get some type of an alert and then a shutdown function so you know your username and password table has been compromised and powers down (or disables) the services preventing additional loss.
Like this idea, being able to have both 'parties' benefit of bug fixing, seems really generous
The following should return "login failed", but loads a 403 page when the code is loaded into the login name field. Check the OWASP.org page for catching SQL injection. Also, run all the tests on this page:
http://www.joellipman.com/articles/web-development/503-basic-tests-for-sql-injection-vulnerabilities.html
Edit: I would also recommend turning off ICMP as well on your firewall, also restrict FTP to your IP address or a private interface only accessible via a VPN.
Overall, sign up with qualys for a system scan.
Hello thanks for the help. The FTP is just a testing thing, this won't be the final server. Restricting the IP is a good idea but my IP changes too much for now, maybe if the site gets larger I will do this.http://www.joellipman.com/articles/web-development/503-basic-tests-for-sql-injection-vulnerabilities.html
Code:
' or 1=1--
Edit: I would also recommend turning off ICMP as well on your firewall, also restrict FTP to your IP address or a private interface only accessible via a VPN.
Code:
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 20:32. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Overall, sign up with qualys for a system scan.
How would I prevent the 403 page? Im using pdo so injection is much harder but still it looks like it gives 403 errors on my php pages. Even when I am submitting html into search field (this is cleaned using htmlentities) it still gives 403.
The following should return "login failed", but loads a 403 page when the code is loaded into the login name field. Check the OWASP.org page for catching SQL injection. Also, run all the tests on this page:
http://www.joellipman.com/articles/web-development/503-basic-tests-for-sql-injection-vulnerabilities.html
Edit: I would also recommend turning off ICMP as well on your firewall, also restrict FTP to your IP address or a private interface only accessible via a VPN.
Overall, sign up with qualys for a system scan.
http://www.joellipman.com/articles/web-development/503-basic-tests-for-sql-injection-vulnerabilities.html
Code:
' or 1=1--
Edit: I would also recommend turning off ICMP as well on your firewall, also restrict FTP to your IP address or a private interface only accessible via a VPN.
Code:
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 20:32. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Overall, sign up with qualys for a system scan.
Got a dice site which I would like to make public.
Ive gotten lots of bug fixes but theres no more problems reported for the past while and I've fixed everything people have suggested.
I will offer 0.001 per bug and if you can get into my mysql database/hack your balance/ hack your bet, whatever, I will pay you 0.05 btc.
Theres no vps or anything hooked up to it right now so you wont be able to steal funds
Url:
http://cryptobets.co/dicefull/index.php
Ive gotten lots of bug fixes but theres no more problems reported for the past while and I've fixed everything people have suggested.
I will offer 0.001 per bug and if you can get into my mysql database/hack your balance/ hack your bet, whatever, I will pay you 0.05 btc.
Theres no vps or anything hooked up to it right now so you wont be able to steal funds
Url:
http://cryptobets.co/dicefull/index.php
Jump to: