Pages:
Author

Topic: Ice-Dice.com Bug Bounty Program On Testnet Subdomain (Read 2246 times)

full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
Sahil Saif recommended to turn Nginx's server_token off to remove Nginx version number from the header string.

"The server string is the header which is sent back to the client to tell
them what type of http server you are running and possibly what version.
This string is used by places like Alexia and Netcraft to collect statistics
about how many and of what type of web server are live on the Internet. To
support the author and statistics for Nginx we recommend keeping this string
as is"

Since Nginx recommended keeping it as is, we don't think this is a security vulnerability but to thank Sahil Saif for his participation, a small reward will be given to him and he will be added to the non-severe award list.
member
Activity: 70
Merit: 10
Expert Computer Geek
Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

Bug Disclosures:

Christy Philip Mathew found a local XSS bug in the next field entering the name text field. Javascript input was escaped on the server side, but was displayed on the client side in the html without escape, so no code injection could be made other than the attackers own computer.

The following 3 members all reported the same bug about the same time, which is a non severe XSS in the url that could only execute an alert message. document.location and document.cookie could not be executed so we deem this bug to be not severe.
- Issam Rabhi - @Issam_Rabhi
- Anand M
- Siddhesh Gawde

A small bitcoin reward had been sent to all these disclosures as a token of thank you.


whatever mate , this is rubbish>> i guess your site will be taken down at any rate! (stay tuned)  Grin LOL




*BTW*>>I'M SELLING MY ICE-DICE INVESTMENT ACCOUNTS 10BTC EACH!!! soon 20BTC IMHO!!!
















http://www.youtube.com/watch?v=ol-gCriUYWI
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

Bug Disclosures:

Christy Philip Mathew found a local XSS bug in the next field entering the name text field. Javascript input was escaped on the server side, but was displayed on the client side in the html without escape, so no code injection could be made other than the attackers own computer.

The following 3 members all reported the same bug about the same time, which is a non severe XSS in the url that could only execute an alert message. document.location and document.cookie could not be executed so we deem this bug to be not severe.
- Issam Rabhi - @Issam_Rabhi
- Anand M
- Siddhesh Gawde

A small bitcoin reward had been sent to all these disclosures as a token of thank you.
member
Activity: 70
Merit: 10
Expert Computer Geek
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?



All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you want me to?  Grin

I wrote you a letter by the way, you might want to take a look:

https://bitcointalksearch.org/topic/cease-and-desist-letter-to-asicsrus-318830
I wrote you a post by the way, you might want to take a look:

http://investorshub.advfn.com/boards/read_msg.aspx?message_id=93410746
member
Activity: 70
Merit: 10
Expert Computer Geek
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?



All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you want me to?  Grin

I wrote you a letter by the way, you might want to take a look:

https://bitcointalksearch.org/topic/cease-and-desist-letter-to-asicsrus-318830

(entertainment only type posts you kno/\\/)


Trying to wrap my head around the crimes committed by David Lee.

Here's what I have and would like to know what others think.

Tax fraud - USA Canada United Kingdom Russia
Sales of unregistered securities - USA (SEC civil) United Kingdom
Stock manipulation - USA civil and criminal
Money laundering - USA Canada United Kingdom Russia..whoops EVERYWHERE
being an idiot :   Grin LOL
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?



All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you want me to?  Grin

I wrote you a letter by the way, you might want to take a look:

https://bitcointalksearch.org/topic/cease-and-desist-letter-to-asicsrus-318830
member
Activity: 70
Merit: 10
Expert Computer Geek
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?



All IP is open, and VPN should be allowed.

I reported your first bugs and you try to throw me under the bus, watch me "test" your real site...lol you need me to?  Grin


http://www.youtube.com/watch?v=5_JmXCNPs6Y
sr. member
Activity: 294
Merit: 250
By the way, I noticed the original post is very similar to https://coinbase.com/whitehat (including the mistake of unknown maximum payout, but this one at least has a 10x higher minimum payout). I don't think this is a coincidence, and I know about other sites like facebook.com/whitehat and https://www.google.com/about/appsecurity/reward-program/.

Since there was no effort in writing it, can you please give proper attribution from where you borrowed this text ? Something like, "Like thiothersite/whitehat, we at someservice are launching ..."
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?



All IP is open, and VPN should be allowed.
member
Activity: 70
Merit: 10
Expert Computer Geek
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?




i can turn OUR site off whenever lol =)
newbie
Activity: 54
Merit: 0
Ok, I will check later, crawl for info and some automate test but is intense for my CPU so I will wait until not in use.

Can you allow all IP?  VPN I use is blocked, if I use home IP ISP can ban me.  Counterproductive to have any IP filter for server running test.  Server may automatic block IP for too many request, we know this works so can you turn it off?

member
Activity: 70
Merit: 10
Expert Computer Geek
To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

You are right, I had a misunderstanding. At the time I thought he was being malicious and what he was doing looked like a DDOS so I posted his IP. It was a mistake I shouldn't have.

Why not put test site on different server?  Vulnerability scan is intense, what you what the india guy to do, page by page manuall?
Minimum one need to run crawler and catch all file and pages to look at manually.

It is on a different server. You are right I had a misunderstanding. I thought he was being malicious.

PS. This ASICSRUS guy is a troll. just look at his post histories. He blackmails and spread rumours about all the casino owners in order to extort for bitcoins.



((((STOP))))

so getting paid out is extortion? bwaahahahaa you must be joking?  Cheesy are you familiar with the bitcoin foundation? roff!!!







http://www.youtube.com/watch?v=QPENXsJz32I
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.

You are right, I had a misunderstanding. At the time I thought he was being malicious and what he was doing looked like a DDOS so I posted his IP. It was a mistake I shouldn't have.

Why not put test site on different server?  Vulnerability scan is intense, what you what the india guy to do, page by page manuall?
Minimum one need to run crawler and catch all file and pages to look at manually.

It is on a different server. You are right I had a misunderstanding. I thought he was being malicious.

PS. This ASICSRUS guy is a troll. just look at his post histories. He blackmails and spread rumours about all the casino owners in order to extort for bitcoins.
newbie
Activity: 54
Merit: 0
Why not put test site on different server?  Vulnerability scan is intense, what you what the india guy to do, page by page manuall?
Minimum one need to run crawler and catch all file and pages to look at manually.
member
Activity: 70
Merit: 10
Expert Computer Geek
To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.


x1O thank you for keeping it real! this guy refuses to even pay me out, I reported ice-dice "bugs" from day one!  Cry
Fvkk you for logging bitcoiners ip addresses ice-dice David!
sr. member
Activity: 294
Merit: 250
To the guy with IP: 115.242.186.210 from Chennai, India:

So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
Do not test on the main site, use http://testnet.ice-dice.com only! If you exploit the main site, you will not be eligible for rewards!
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
To the guy with IP: (edit: sorry, shouldn't have posted this) from Chennai, India:

You are flooding the server with the same POST request over and over again. The CSRF protection is automatically blocking your submission and what you are doing won't actually find any bugs. It will just waste bandwidth.
full member
Activity: 154
Merit: 100
Ice-Dice.com | Massive Referral Bonus!
Christy Philip Mathew - @christypriory found a non-severe bug that will not cause financial loss or data breach. A smaller reward was given to thank him for his effort.
member
Activity: 70
Merit: 10
Expert Computer Geek
what is your offering? I already explained you are skating on very thin ice! I'd appreciate if you payed me out the 1BTC you owe me then we can talk about your status operating like you do.  Cool security?lol google : Apex
Pages:
Jump to: