Vulnerabilities ^_^:
XSS (Cross site scripting) in the change seed thingie.
Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607e
Possible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up.
-> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this.
Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000
.
Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300
Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much.
-> Cloudflare would probably be good.
XSS (Cross site scripting) in the change seed thingie.
Code:
">
There is also no CSRF protection on this either.Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607e
Possible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up.
-> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this.
Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000
.Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300
Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much.
-> Cloudflare would probably be good.