I've been developing a project during my freetime, called Tibia Auction Market (TAM), where you can buy, bid or sell tibia items for real money with people that will be marked by their trading reputation.
There's no real money nor actual items involved yet as I wanna make sure the site is working and secure, that's why I'm looking for a few testers to explore and exploit the site as much as possible, and to give me some feedback on the look and feel of it.

If you want to apply for a beta account, just register at the site and post your public username in this thread.
Testers will be rewarded when the site is out of beta (Some gold or a deposit coupon of $5-$10).

Testers will have access to a special page allowing them to give money and items to themselves, aswell as sending bugreports directly to my inbox.
Having money and items allows beta testers to create auctions and bid or purchase items on the market.

Website can be found here:
http://4pan-dev.com/projects/tibia-market/

Done.
Username: Rose

Done.
Username: Rose

You now have a beta account, thanks <3

Edit; Forgot to remove my own mail for verification when debugging, you should all the get emails in YOUR mail from now on

Also made an account, username: SMEG

Username: Pinnicle

Username: Kociii

<3

Spectrus

Can you just verify that e-mail for me? :c

WHEN THERES A FUCKING FORM ERROR AND YOU SHOW THE ERRORS, KEEP THE VALID FIELDS FUCKING FILLED YOU GOD DAMN NAZI

give "pentest" some damn beta status so i can hack your database

fakjo fixed & fixed & fixed
now gimme mod or sad :(

1. Strip commas from numbers
2. 4294967295 (0xFFFFFFFF hex or -1 signed int) gets interpreted as -1 ("Sorry, your lowest bid must be a positive value."). You should use unsigned integers instead of signed integers.

3. If I give an invalid item ID I can get sine oretty significant information disclosure

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'item_name' cannot be null' in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php:220 Stack trace: #0 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php(220): PDOStatement->execute(Array) #1 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/account.php(390): user->create_item('26', '2013', '1', 'Amera') #2 {main} thrown in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php on line 220

4. Based on this, I can do some path traversal. It's not initially useful, but if I start at "http://4pan-dev.com/projects/tibia-market/engine/function/", I have a base API directory to start brute-forcing file names for interesting data. There's nothing preventing me from querying these files (I can 'render' "http://4pan-dev.com/projects/tibia-market/engine/function/users.php"). If I try to change directories, I will get a 403 forbidden when the directory exists but a 404 not found when it doesn't. Writing a script to find every file in your API, and trying to DDoS/crash/exploit the site by 'rendering' the internal files becomes easy from this point.

3. If I give an invalid item ID I can get sine oretty significant information disclosure

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'item_name' cannot be null' in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php:220 Stack trace: #0 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php(220): PDOStatement->execute(Array) #1 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/account.php(390): user->create_item('26', '2013', '1', 'Amera') #2 {main} thrown in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php on line 220

4. Based on this, I can do some path traversal. It's not initially useful, but if I start at "http://4pan-dev.com/projects/tibia-market/engine/function/", I have a base API directory to start brute-forcing file names for interesting data. There's nothing preventing me from querying these files (I can 'render' "http://4pan-dev.com/projects/tibia-market/engine/function/users.php"). If I try to change directories, I will get a 403 forbidden when the directory exists but a 404 not found when it doesn't. Writing a script to find every file in your API, and trying to DDoS/crash/exploit the site by 'rendering' the internal files becomes easy from this point.

Wrecked

5. I shouldn't be able to set buyout to the same price as minimum bid, it makes 0 sense.

6. THE GOLDMINE : XSS INJECTION : You do not verify the world name. By setting the world name to:

Amera\0\n�<script>SOME JAVASCRIPT HERE</script>
I am able to execute arbitrary javascript in the victim's browser.


In this case, I rickrolled your dumbass.


Amera\0\n�<iframe width='640' height='360' src='//www.youtube.com/embed/dQw4w9WgXcQ?feature=player_detailpage' frameborder='0' allowfullscreen></iframe>

http://4pan-dev.com/projects/tibia-market/auction.php

http://i.imgur.com/EXRaz2N.png

Am I too good?

7. More information disclosure. If you give an invalid ID to view an auction, you get a pop-up that says

DataTables warning: table id=DataTables_Table_0 - Requested unknown parameter '1' for row 0. For more information about this error, please see http://datatables.net/tn/4

This is useful because now I know the name of a database table if I want to start trying to SQL inject, and I also know the database library you are using, so I can start looking for specific vulnerabilities in that software.


http://4pan-dev.com/projects/tibia-market/auction.php?id=1234567

Elvang
Thanks for input
DarkstaR
The beta panel will not be there if/once it'll be public, why did you have to make me semi-fix that? aef
But thanks for helping out <3

p.s that popup is only for tables, it doesn't interact with the database whatsoever

@Elvang (http://forums.xenobot.net/member.php?u=21)
Thanks for input
@DarkstaR (http://forums.xenobot.net/member.php?u=2)
The beta panel will not be there if/once it'll be public, why did you have to make me semi-fix that? aef
But thanks for helping out <3

Regardless, it is bad. You are storing world names as a string field in inventory item, which is inefficient. There should be a table of world names with an integer primary key that is used to reference them from the inventory table.

Also, the BETA panel may just be BETA, but if there is a way for users to select what world their item is on, the flaw will always exist (given your current database structure).

8. Case and point, even with your string limitation fix, I can still insult you

http://i.imgur.com/WM3fy5q.png

Regardless, it is bad. You are storing world names as a string field in inventory item, which is inefficient. There should be a table of world names with an integer primary key that is used to reference them from the inventory table.

Also, the BETA panel may just be BETA, but if there is a way for users to select what world their item is on, the flaw will always exist (given your current database structure).

True, fixed that

True, fixed that

Why can I still use the world name "Balls", then?

My original proposal meant the worlds table should be read-only. The values in your drop-down should be like 1-n, where 1 is AMERA and n is the last world in the list. Your worlds table should look something like this:



id PRIMARY KEY | name
1 | Amera
2 | Antica
... | ...
n | Zanera


The query should look something like this


SELECT * FROM auctions LEFT JOIN worlds ON auctions.worldId = worlds.id WHERE worlds.name NOT NULL and (whatever other criteria here)


There are 2 major reason to do this:

It reduces your possible attack surface by reducing the amount of data users are allowed to place raw inside your database.
It makes the database more space-efficient, as there will not be duplicate strings for world names all over the place.

9. I'm worried about the in-browser pagination. What happens when finished auctions becomes 10k+ auctions? Storing 1000 pages in the browser will be essentially DoSing the end-user's browser.

10. I'm not sure what your database structure is, but you should, first and foremost, be hashing and salting passwords that are stored. I've done some timing attacks that show you're _probably_ not doing this. The reason you want to do this is that, in case your database every does get compromised, the hackers wont have direct access to the plain-text passwords of your users. Instead, they'll have to brute-force the hashes.

https://crackstation.net/hashing-security.htm
http://php.net/manual/en/faq.passwords.php
http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/

DarkstaR, you got alot of fun dont you? ;)

@DarkstaR (http://forums.xenobot.net/member.php?u=2), you got alot of fun dont you? ;)

i like to break things geeezz

i like to break things geeezz

Haha xD

9. I'm worried about the in-browser pagination. What happens when finished auctions becomes 10k+ auctions? Storing 1000 pages in the browser will be essentially DoSing the end-user's browser.

Case and point: http://www.tibiatracker.com/deletions

This site uses the same table library as you and the same pagination. It take ~21 seconds to load just because it needs to pull that shitload of data down and fill the DOM before displaying anything.

I was going to try to break something but I think Nick has it covered.

:cool:

I was going to try to break something but I think Nick has it covered.

:cool:

I really appreciate that he broke the site, it helps me fix the flaws :] Keep on trying if you have the time
I'll try some versions of pagination so it might throw off some errors from time to time

I really appreciate that he broke the site, it helps me fix the flaws :] Keep on trying if you have the time
I'll try some versions of pagination so it might throw off some errors from time to time

So I think what you have now is great for a seamless experience, but you might try limiting it to 100 at a time. Not sure how much control you have over the library, though.

So I think what you have now is great for a seamless experience, but you might try limiting it to 100 at a time. Not sure how much control you have over the library, though.

My first idea was to use same functions as tibias ingame market, my current item array currently looks like this:
"3318" => array("type" => 4, "name" => "Knight Axe", "cost" => 2000)

where type 4 equals to 'Axe Weapons', using this would defi limit the auction table. A simple $_GET would suffice, but lets say there'lll be an option for 'Show All' I would still use $_GET with a limit query & 20 ish tables per page and still be able to use the same plugin without pagination as I like the search function
I don't know enough javascript to make my own atm :{

DarkstaR


https://www.youtube.com/watch?v=jaRBHQlEu-o

USERNAME : Robyn