Look for bugs in website | Bitcointalksearch.org

mxnsch

sr. member

Activity: 471

Merit: 252

Quote from: Robertt on January 22, 2016, 07:44:07 AM

Quote from: Bitcoin_Delivery on January 22, 2016, 07:42:49 AM

Hi Rob....basically i still didn't understand what you sell with packages...
Daily Package / $3....for what?
No doubt that t site isn't a scam, but would be nice if you can explain to me (and others) what function your site have?
You sell "mining power" or what?
Thanks!

It's an account generator. I would look for bugs my self but I'm not on a pc right now so that limits my abilities.
@mxnsch Thanks for that, the first two aren't really bugs but the last three I'll count. what's your btc address?

I have to insist, those first are bugs security-wise and shall be addressed following best practices to secure customer data.

Please keep your BTC, i am doing professional penetration tests and was just having fun during a 5 minute lunch break. If you pay me, this would feel like work Grin

Cheers and best of luck

Sigals

member

Activity: 76

Merit: 10

Quote from: Robertt on January 22, 2016, 07:49:44 AM

Quote from: Sigals on January 22, 2016, 07:48:02 AM

Quote from: Robertt on January 22, 2016, 07:04:56 AM

Quote from: Sigals on January 22, 2016, 07:03:39 AM

Password is sent in plaintext when logging in - this isn't very good.

Password should be hashed client side and only the hash sent.

Actually, the password is hashed on my side. I'll look around the code and see if it's sent in plaintext although I'm pretty sure it isn't. How'd you find that?

You can see the POST request to login.php here https://i.imgur.com/PAJUukQ.png

Look at the form data sent - password is in plaintext.

Strange, I'm getting is as MD5.
I'll tighten it up on the new domain to a better encryption method.
What's your btc address

-- all payments will be sent within 24 hours from now

1LYkfhN97MdEt74uWhmYmZ53KbJ4iFJBcs

I'm not seeing any javascript being loaded to hash the password client-side, might want to check that.

TastyChillySauce00

legendary

Activity: 2982

Merit: 1028

Leading Crypto Sports Betting & Casino Platform

better for you to give a demo account mentioned on first post because not all of people want to sign up even it only take 5 minutes, just "demo" as user and password , simple but helpful

Robertt

member

Activity: 112

Merit: 10

Quote from: Sigals on January 22, 2016, 07:48:02 AM

Quote from: Robertt on January 22, 2016, 07:04:56 AM

Quote from: Sigals on January 22, 2016, 07:03:39 AM

Password is sent in plaintext when logging in - this isn't very good.

Password should be hashed client side and only the hash sent.

Actually, the password is hashed on my side. I'll look around the code and see if it's sent in plaintext although I'm pretty sure it isn't. How'd you find that?

You can see the POST request to login.php here https://i.imgur.com/PAJUukQ.png

Look at the form data sent - password is in plaintext.

Strange, I'm getting is as MD5.
I'll tighten it up on the new domain to a better encryption method.
What's your btc address

-- all payments will be sent within 24 hours from now

Sigals

member

Activity: 76

Merit: 10

Quote from: Robertt on January 22, 2016, 07:04:56 AM

Quote from: Sigals on January 22, 2016, 07:03:39 AM

Password is sent in plaintext when logging in - this isn't very good.

Password should be hashed client side and only the hash sent.

Actually, the password is hashed on my side. I'll look around the code and see if it's sent in plaintext although I'm pretty sure it isn't. How'd you find that?

You can see the POST request to login.php here https://i.imgur.com/HZL5V22.png

Look at the form data sent - password is in plaintext.

Robertt

member

Activity: 112

Merit: 10

Quote from: Bitcoin_Delivery on January 22, 2016, 07:42:49 AM

Hi Rob....basically i still didn't understand what you sell with packages...
Daily Package / $3....for what?
No doubt that t site isn't a scam, but would be nice if you can explain to me (and others) what function your site have?
You sell "mining power" or what?
Thanks!

It's an account generator. I would look for bugs my self but I'm not on a pc right now so that limits my abilities.
@mxnsch Thanks for that, the first two aren't really bugs but the last three I'll count. what's your btc address?

Bitcoin_Delivery

hero member

Activity: 952

Merit: 500

Hi Rob....basically i still didn't understand what you sell with packages...
Daily Package / $3....for what?
No doubt that t site isn't a scam, but would be nice if you can explain to me (and others) what function your site have?
You sell "mining power" or what?
Thanks!

mxnsch

sr. member

Activity: 471

Merit: 252

Quote from: Robertt on January 22, 2016, 12:12:54 AM

Bitcointap.xyz
I'll pay 0.0005 per small bug.
All payments will be sent within 12 hours.
Thanks, let me know if you find anything :-)

I was a little bored and there are indeed a couple of issues with your site.

Here are my findings after 5 minutes of fiddling:

Code:

* You should enable a forced password complexity
* Accounts should be forced to validate via mail (or just don't ask for email if you dont need it)
* If a support ticket is submitted, there is an error "Forbidden, You don't have permission to access /support.php on this server."
* If i enter a XSS locator [1] in username and password, your login form fails
[1]

Robertt

member

Activity: 112

Merit: 10

Quote from: xinzark on January 22, 2016, 07:12:03 AM

I don't think I found much things to report but when I try to click Profile/settings/messages with my phone in chrome browser site doesn't respond or nothing happens. Don't know if it is any bug or those pages aren't ready

And the password accepting function is also not that great. I signed up with a 1 digit password and your site allowed me to do that. Make users to enter at least 6 digit password for their own safety otherwise you will have face problems in future about hacked account issues

And I can't even understand what your site is about Tongue

Users are responsible for their own account.
The site is an account generator on an old domain, getting another one today.
If an account is hacked there isn't a problem, I'll just reset their password. It takes a few minutes to report it. Either way, use a stronger password and you'll be fine.

xinzark

legendary

Activity: 1120

Merit: 1001

I don't think I found much things to report but when I try to click Profile/settings/messages with my phone in chrome browser site doesn't respond or nothing happens. Don't know if it is any bug or those pages aren't ready

And the password accepting function is also not that great. I signed up with a 1 digit password and your site allowed me to do that. Make users to enter at least 6 digit password for their own safety otherwise you will have face problems in future about hacked account issues

And I can't even understand what your site is about Tongue

Robertt

member

Activity: 112

Merit: 10

Quote from: Sigals on January 22, 2016, 07:03:39 AM

Password is sent in plaintext when logging in - this isn't very good.

Password should be hashed client side and only the hash sent.

Actually, the password is hashed on my side. I'll look around the code and see if it's sent in plaintext although I'm pretty sure it isn't. How'd you find that?

Sigals

member

Activity: 76

Merit: 10

Password is sent in plaintext when logging in - this isn't very good.

Password should be hashed client side and only the hash sent.

rajat08

full member

Activity: 182

Merit: 100

Quote from: Robertt on January 22, 2016, 06:03:51 AM

Quote from: BitBustah on January 22, 2016, 05:33:14 AM

I signed up. Got no email -- is that normal?

Once signed in I can only view the "Purchase" page. Not else opens. Normal?

Yeah, I've got no content in the dashboard yet
Nothing else opens yet because for new users it's only purchase page
I think I'll add a bug testing group

I think its better to finish the whole website then ask people to test. Its better that way. Anyways best of luck to you for sales with the generator.

Robertt

member

Activity: 112

Merit: 10

Quote from: BitBustah on January 22, 2016, 05:33:14 AM

I signed up. Got no email -- is that normal?

Once signed in I can only view the "Purchase" page. Not else opens. Normal?

Yeah, I've got no content in the dashboard yet
Nothing else opens yet because for new users it's only purchase page
I think I'll add a bug testing group

BitBustah

hero member

Activity: 1218

Merit: 534

I signed up. Got no email -- is that normal?

Once signed in I can only view the "Purchase" page. Not else opens. Normal?

Robertt

member

Activity: 112

Merit: 10

Yeah, I don't have a PayPal account atm
Anyway I'll send you both 0.001 in 5 hours :-)
thanks

Alaki

sr. member

Activity: 266

Merit: 250

Quote from: Robertt on January 22, 2016, 02:36:43 AM

Alright, I've fixed up most of the site.

Good. Site looks decent.

Quote from: Robertt on January 22, 2016, 02:36:43 AM

Ignore the profile/settings page, still a work in progress.

Yep, jacee pointed it out. They sh'ld be rewarded.

Quote from: Robertt on January 22, 2016, 02:36:43 AM

The rest should work, please let me know if you find anything wrong.

Basically, I/anyone Can't buy a package.
Error by paypal ->

Quote from: Robertt on January 22, 2016, 02:36:43 AM

Also want to know if there are any problems while signing up or logging in.

It's fine/working.

P.S. Mah BTC address -> 18kW8q61si6KnhBGMtj8PfJs8Zhrsrux3A

Robertt

member

Activity: 112

Merit: 10

Alright, I've fixed up most of the site. Ignore the profile/settings page, still a work in progress.
The rest should work, please let me know if you find anything wrong.
Thanks. Also want to know if there are any problems while signing up or logging in

jacee

legendary

Activity: 1302

Merit: 1024