Vulnerabilities ^_^:
XSS (Cross site scripting) in the change seed thingie.
Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607e
Possible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up.
-> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this.
Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000
.
Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300
Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much.
-> Cloudflare would probably be good.
XSS (Cross site scripting) in the change seed thingie.
Code:
">
There is also no CSRF protection on this either.Video: http://gyazo.com/9eaa38097d913eb8b78cd957a94e607e
Possible places for vulnerabilities:
->On the withdraw page, you've got 2 post variables userAmount and realAmount. It seems that you validate userAmount but not realAmount. I cant test it as I cbf depositing $3 into your site but just make sure that the user cant put userAmount = 0.01 and realAmount = 5 and it will send them 5BTC sort of thing. I doubt you can, but just a heads up.
-> You're able to do negative numbers on roll amounts. Although this probably wouldn't change anything, there isn't any validation for this.
Silly errors:
0.00000100 BTC divide by 2 doesn't equal 5.70000000
.Video: http://gyazo.com/323eeb6bcc6deef1035005d2ea9b2300
Suggestions:
-> Require a minimum password length. I could have one character and it would accept it. This is just in case of a DB leak, although it's not going to really help that much.
-> Cloudflare would probably be good.
ill add a token and a sanitiser to the clientseed form today.
regarding the useramount. all calculations and processes are based on useramount. so if useramount is messed with. it doesnt really matter. it gets displayed. and is an inpit yes. but does not get processed
(havent watched videos yet, im on mobile atm) so ill adress those as soon as i can
pass length: your 100% right
ill add you to the list of rewards and ill reply regarding the videos when i gwt to the office.
thx