Author

Topic: Is my bitcoin site susceptible to attacks? (Read 710 times)

full member
Activity: 210
Merit: 100
★YoBit.Net★ 350+ Coins Exchange & Dice
July 14, 2015, 05:11:20 AM
#6
Quote
Is it possible for some '1337 haxor' to sniff out POST data?

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalksearch.org/topic/m.8959853


When you battle with the above post of coinableS, you should take this 2 thread into considerations also https://bitcointalksearch.org/topic/easybalance-get-balance-of-list-of-bitcoin-addresses-1121072 and https://bitcointalksearch.org/topic/ann-address-wallet-watcher-blockonomics-880995
They are really good when used positively but their negative usage could make someone to bleed.
hero member
Activity: 1582
Merit: 502
Quote
Is it possible for some '1337 haxor' to sniff out POST data?

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalksearch.org/topic/m.8959853



Thanks for posting that.
I didn't know about Charles web debugging proxy.
Now I know Smiley
legendary
Activity: 1512
Merit: 1057
SpacePirate.io
This has been answered elsewhere. The answer was https!

Not all woes are solved by https for making a site secure.

Development guide for secure web apps:  https://github.com/OWASP/DevGuide
Infrastructure scanning: https://www.qualys.com

-Consider where you're hosted, look for a hosting provider that has met NIST, PCI, FINRA, HIPPA or other certifications. No one should be able to call them and social engineer access.

-Review security on your domain. Make sure no one can transfer your domain or call them up and social engineer a transfer or DNS controls.

-Your database should be encrypted in transmit (when you're accessing it) and at rest (when it's offline)

-Enforce strong passwords and multifactor authentication for access, especially for administrative functions.

-Use logging for access for your systems and for your application (add/moves/changes)

-If you use encryption algorithms in your application, avoid SHA1, DES, and MD5. Use key lengths greater than 1024 bits.
-Don't store private keys on the same system or in code. You should make them non-exportable.

Look for other resources to help you develop a secure system and application.


legendary
Activity: 1442
Merit: 1186
Quote
Is it possible for some '1337 haxor' to sniff out POST data?

Be careful with sending sensitive information as POST data with PHP. A user can use a breakpoint like with Charles Proxy to examine and even edit POST data.

http://www.tinywall.info/2014/04/how-to-edit-request-response-hack-tamper-website-any-browser-from-PC-with-Charles.html
http://www.charlesproxy.com/documentation/proxying/breakpoints/

Here's a lesson I learned when launching a BTC game and using POST data instead of a DB to communicate important information.
https://bitcointalksearch.org/topic/m.8959853

full member
Activity: 146
Merit: 100
This has been answered elsewhere. The answer was https!
full member
Activity: 146
Merit: 100
I'm creating a bitcoin site which automatically pays out bitcoin under certain circumstances. My plan is to have a php page which accepts data via POST and if the received data is correct it will pay out bitcoins.

I am wondering whether this is safe? The data sent over POST contains all the information required to send bitcoins. Is it possible for some '1337 haxor' to sniff out POST data?

If so, what about if the page that sends data via POST- and the page that receives data via POST- are both hidden behind a logon. I.e. the entire contents of both pages are hidden within a if($login->isUserLoggedIn() == true) statement- is this enough? Or is it trivial to get around this too?

Thanks chaps
Jump to: