Bitcoin Forum>Bitcoin>Project Development
Author

Topic: Is my bitcoin site susceptible to attacks? (Read 710 times)

meadefreling
full member
Activity: 210
Merit: 100
★YoBit.Net★ 350+ Coins Exchange & Dice
Is my bitcoin site susceptible to attacks?
July 14, 2015, 05:11:20 AM
#6
Quote from: coinableS on July 12, 2015, 07:15:54 PM
Quote
Is it possible for some '1337 haxor' to sniff out POST data?

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalksearch.org/topic/m.8959853


When you battle with the above post of coinableS, you should take this 2 thread into considerations also https://bitcointalksearch.org/topic/easybalance-get-balance-of-list-of-bitcoin-addresses-1121072 and https://bitcointalksearch.org/topic/ann-address-wallet-watcher-blockonomics-880995
They are really good when used positively but their negative usage could make someone to bleed.
S4VV4S
hero member
Activity: 1582
Merit: 502
Re: Is my bitcoin site susceptible to attacks?
July 14, 2015, 04:10:51 AM
#5
Quote from: coinableS on July 12, 2015, 07:15:54 PM
Quote
Is it possible for some '1337 haxor' to sniff out POST data?

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalksearch.org/topic/m.8959853



Thanks for posting that.
I didn't know about Charles web debugging proxy.
Now I know Smiley
cloverme
legendary
Activity: 1512
Merit: 1057
SpacePirate.io
Re: Is my bitcoin site susceptible to attacks?
July 13, 2015, 09:55:02 PM
#4
Quote from: mcplums on July 12, 2015, 09:54:13 AM
This has been answered elsewhere. The answer was https!

Not all woes are solved by https for making a site secure.

Development guide for secure web apps:  https://github.com/OWASP/DevGuide
Infrastructure scanning: https://www.qualys.com

-Consider where you're hosted, look for a hosting provider that has met NIST, PCI, FINRA, HIPPA or other certifications. No one should be able to call them and social engineer access.

-Review security on your domain. Make sure no one can transfer your domain or call them up and social engineer a transfer or DNS controls.

-Your database should be encrypted in transmit (when you're accessing it) and at rest (when it's offline)

-Enforce strong passwords and multifactor authentication for access, especially for administrative functions.

-Use logging for access for your systems and for your application (add/moves/changes)

-If you use encryption algorithms in your application, avoid SHA1, DES, and MD5. Use key lengths greater than 1024 bits.
-Don't store private keys on the same system or in code. You should make them non-exportable.

Look for other resources to help you develop a secure system and application.


coinableS
legendary
Activity: 1442
Merit: 1186
Re: Is my bitcoin site susceptible to attacks?
July 12, 2015, 07:15:54 PM
#3
Quote
Is it possible for some '1337 haxor' to sniff out POST data?

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalksearch.org/topic/m.8959853

mcplums
full member
Activity: 146
Merit: 100
Re: Is my bitcoin site susceptible to attacks?
July 12, 2015, 09:54:13 AM
#2
This has been answered elsewhere. The answer was https!
mcplums
full member
Activity: 146
Merit: 100
Re: Is my bitcoin site susceptible to attacks?
July 12, 2015, 09:21:40 AM
#1
I'm creating a bitcoin site which automatically pays out bitcoin under certain circumstances. My plan is to have a php page which accepts data via POST and if the received data is correct it will pay out bitcoins.

I am wondering whether this is safe? The data sent over POST contains all the information required to send bitcoins. Is it possible for some '1337 haxor' to sniff out POST data?

If so, what about if the page that sends data via POST- and the page that receives data via POST- are both hidden behind a logon. I.e. the entire contents of both pages are hidden within a if($login->isUserLoggedIn() == true) statement- is this enough? Or is it trivial to get around this too?

Thanks chaps
Bitcoin Forum>Bitcoin>Project Development
Jump to: