Not A Guide to hacking betting sites

 DISCLAIMER!!! This is for educational purposes only and not a guide to hacking betting sites.

In this writeup i will try to provide some bugs i have found on betting sites during my almost 3years bug bounty journey.I have reported more than 100 vulnerabilities on betting websites and android application but i will only talk about some bugs.Sorry,I don't have screenshots to demonstrate the vulnerabilities so i will just list  some bugs and their impacts.I will not name the companies for obvious reasons

The writeup lists some  vulnerabilities bug hunters can look for while hunting on betting platforms

so grab some coffee and popcorn and enjoy!

Some are interesting like  changing odds or withdrawing twice or withdrawing money more than your balance:)


IDOR

I found most of IDOR on betting sites on profile id parameters.some occurred on bet history where i could change user bet id history and get any user betting history on the site.


SQLI

Most of then were blind sqli.


RACE CONDITION

What's race condition;

This is a vulnerability that occurs when a request is sent many times within a very short period of time like clicking withdraw button in quick succession.

This is an interesting bug in my opinion as you can find interesting outcomes such as withdrawing cash more than one time,cashing out more times 

Tools:

You can use turbo intruder or write your own script.


PARAMETER MANIPULATION

These vulnerability occurs when changing request parameters such as bet amount or odds in the betting sites.

These can lead to manipulating odds for example a game with 1.5 odd can be manipulated to 3.0 odd  and double the odd.

Another interesting bug i found is betting a game two times.Alaa!!!!!

This is done by capturing the request then placing the bet ids and matches twice or more times in the same request.

HTTP PARAMETER POLLUTION

This happens when you add some parameters on the url and the server identifies it as normal request.

For the bug bounty i was able to withdraw money more than my balance by addding a balance parameter with a custom set balance as seen below;

/userid?id=11&balance=500

OTHER ATTACKS

These are a collection of small or medium bugs that i found.Some were like Account takeover via no rate limit and host header injection on reset password

Shellshock in 2021!

Some Xsses(blind and reflected)

DOS via a long password.A user could register with a long password.You could login first time after sign up but after logging out a user couldn't  login to his account again

Bypass password protection in android app via exported activity

Comments

Post a Comment

Popular posts from this blog

SOME BUGS

Image
 It's been  a while since i wrote anything related to bug bounty or hacking.In that time i have had some interesting and bad experiences with bug bounty programs.from fast responses to scam external  programs I won't be naming/ shaming the programs but soon i will put up a comprehensive list of scam programs to avoid. Let's talk about some of the bugs; 1. Authentication bypass via path normalization i was hunting on some match matching/dating site.after finding subdomains via crt.sh and fuzzing the subdomains with a wordlist.i found a login page;  min.site.com I started to fuzz to files with ffuf with a custom wordlist.with no result i looked for sqli but found non.tried response manipulation.again failed I was about to give up then i click on a png file.deleted the pic.png and got 403 error.using script https://github.com/iamj0ker/bypass-403 on it i  could list images on the server! https://login.site.com/images// I tried https://login.site.com// also https://...
Read more

Taking a Delorean car back to the future:Time related attacks

Image
After thinking about what to write about and having some ideas which are still half done and in draft.I decided to write this! As a car enthusiast with love for classic cars and passion for bringing back old cars to life. I would admit and hope my good friend mark whom we disagrees on most ideas are on the same page here.Delorean was a beauty.If you have not watched Back to the Future movies you are missing out. sit at the back left and let me drive you through time.oops! i forgot delorean is a two-passenger sports car ,but why not go to the future,2024 and get the new powerful delorean alpha5.A better looking super-fast,2+2 coupe , electric car. Enough with the car analogy,we as hackers love technical stuff,nevertheless i believe nowadays i am starting to appreciate the non-technical aspects,folks and roles in tech. In this blog i will discuss some attacks that could impact software from a time change.changing time to the future or back to the past could impact the normal working of ...
Read more