GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Exclusive for GFY'rs: Wishlist Granted (mostly) from CoinsBill Bitcoin Processing

AdultKing · 08-25-2015, 10:09 AM

For anyone who wants to understand why bobr is making a big mistake in his examples simply type the following into your browser address bar.

Code:

http://api.stripe.com

You will see the session automatically turns from a port 80 http session to a port 443 https session. In other words it defaults to SSL meaning communication to and from the API is encrypted.

Now do the same on his API

Code:

http://www.coinsbill.com/api/invoice/

The session stays on port 80 as HTTP in plain text over the Internet.

No single transaction made on his platform is secure.

Worse still - and I'm not going to post how this can be done for obvious reasons - his entire system is exposed because he has an XSS vulnerability that took me about 5 minutes to work out.

(disclaimer for tech heads: ssl & http can go over any port but in this case 80 & 443 are the ones that apply here)

08-25-2015, 10:09 AM
AdultKing Raise Your Weapon Industry Role: Join Date: Jun 2003 Location: Outback Australia Posts: 15,601	For anyone who wants to understand why bobr is making a big mistake in his examples simply type the following into your browser address bar. Code: http://api.stripe.com You will see the session automatically turns from a port 80 http session to a port 443 https session. In other words it defaults to SSL meaning communication to and from the API is encrypted. Now do the same on his API Code: http://www.coinsbill.com/api/invoice/ The session stays on port 80 as HTTP in plain text over the Internet. No single transaction made on his platform is secure. Worse still - and I'm not going to post how this can be done for obvious reasons - his entire system is exposed because he has an XSS vulnerability that took me about 5 minutes to work out. (disclaimer for tech heads: ssl & http can go over any port but in this case 80 & 443 are the ones that apply here)