EDIT Aw they took down the market before anyone could see my colorful defacement page
Hey guys, I took a break from things, but I'm back and fighting the good fight once again. There were a couple of markets that launched during my absence so I've been having a look into them, I'm currently running initial automated scans and will look further into each within the next few days.
My first project was Odyssey, especially since I came across a post regarding them using a pre-made script, which is my favorite kind of project! Within 2 minutes of sign up, I realized they were completely lying about rewriting the script or just using the same stylesheet, the system is almost completely a mirror image of the original with some additions and no security fixes for my regular entry points, which is present in every version of the script that was used and has been used by many past markets.
http://odysseygk3f6ugfc.onion/
Findings:
- Completely open to all kinds of XSS injection, site wide. Some example attack vectors: PM's, PGP Key, Profile text, support tickets, product details (title, description etc etc).
- Nothing is correctly sanitized at all.
- Rooted the server within 15 minutes
- Full database access and downloaded back ups of it
- Found potential admin dox information
- Created multiple shells for navigating their server directories and sending file system commands
- Major security failures
This is one of the more worrying markets I've saw appear, clearly an amateur in both development and network management/security.
Odyssey is now closed as of this post, we don't need markets like this being available to be hacked by the wrong person/organization, it puts everyone at risk, including themselves.
Anyone working on a market, get in touch for free advice and a pre-launch pen test. I will only post publicly if the security is this shit. If I see potential and you know what you are doing, the slip ups can be made up for with fixes and on-going testing before and after launch.
Bye!
Can confirm that the market was defaced before being offline.