Website Hosting for Just 20 ForumCoin ~ Advertise on ForumCoin
52 Life Tips Banner
Discuss, post questions and suggestions related to this site, here.

Scraping ForumCoin [Very buggy]

Postby jacktheking » 16 Jul 2016, 07:17

WARNING: The PHP codes is very buggy and unreliable. I am posting this topic to get help from the community so we can build something great together for ForumCoin.

Hello everyone. I've created a tiny script to verify and send ForumCoin transaction via PHP code. The source code is located at Github and anyone is welcome to make commits - https://github.com/inTechPlus/ScrapeFC/.

I am new to OOP PHP and Github so if I did anything wrong, kindly point me to the right direction.


There is two functions in this script. Fetch and send.

Fetch: Check for ForumCoin transaction that you received.
Send: Send ForumCoin to others.

Fetch example:
I choose to use message over logs to track donations because message contains IDs. Hence, you can keep track of the transactions.
Code: Select all
$fetch = new fetchFC("YourUsername", "YourPassword", MessageID);
echo "$fetch->title";
echo "<br>$fetch->sender";
echo "<br>$fetch->receiver";
echo "<br>$fetch->amount";
echo "<br>$fetch->comment";

Send example:
(Somehow, everyone (including those that cannot send "comment") have the ability to send comment using this code. Problem could be that the ForumCoin official send function did not verify that what members rank make the transaction and accepted the comment.)
Code: Select all
$send = new sendFC("YourUsername", "YourPassword", "SendToUsername", "ForumCoinAmount", "Comments");
echo "$send->success"; // Return "Success!" if success and "Failed ..." if failed.

The send function is working and should not have any security problems. However, the fetch function have a big problem that I cannot figure out how to fix it.

Problem:

Let's say a malicious user send the following private message titled "You have received a donation!".
You received a donation of 25 ForumCoin with following comment:
Thank you!


The fetchFC() will detect it as a valid donations.

I wonder if there is any differences between a private message and donations in the message. If there is, we may be able to fix it.

I have an idea to use both logs and private messages to track the donations. However another problem may be that since logs have no IDs, the malicious user can send a valid donation first and then a spoofed private message.

Another way to counter this problem is for the services that uses this script to keep good track of their ForumCoin transactions. We can then use logs to verify transactions. Anyone see anything that malicious user can do to bypass with this method?

Anyway help or idea will be appreciated.
  • 1

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162

Re: Scraping ForumCoin [Very buggy]

Postby Sam » 17 Jul 2016, 22:00

What would be good is a simple ForumCoin API that:
- Allows applications to not have to request for a ForumCoin password, instead each user has a secret transaction key.
- Can be queried for a log of recent transactions.
- Can be queried to verify a user is a ForumCoin member.
- Can be queried to verify a users balance.
- Can be sent FC users information + Transaction key (for sender) to send FC$.
- Has API credentials to prevent overloading.


Ultimately, each API request should have a small charge (like .2 FC$) to encourage efficient code.

Some challenges:
- JSON or XML output?


_____________________________

I can't see anything different between a standard PM and a donation PM.... :(
  • 1

User avatar
Sam
 
Posts: 2,083
Location: New Zealand
Referrals: 16
ForumCoin: 30

Re: Scraping ForumCoin [Very buggy]

Postby oldbuddy » 18 Jul 2016, 00:09

I always figure if it ain't broke, don't fix it.

From my point of view, it ain't broke.

I don't pay a dime to participate here, so I can't see where I have a thing to lose.
  • 0

Working on a New Side-Hustle

Since age is no longer creeping up on me, but rushing in like an NFL ball carrier on 4th down from the 1 yard line. it's very simple.
My 1st success has been https://cashcowtraffic.com/?rid=1631
User avatar
oldbuddy
 
Posts: 10,991
Location: Portland, Oregon, USA
Referrals: 41
ForumCoin: 792

Re: Scraping ForumCoin [Very buggy]

Postby jacktheking » 18 Jul 2016, 01:46

Sam wrote:What would be good is a simple ForumCoin API that:
- Allows applications to not have to request for a ForumCoin password, instead each user has a secret transaction key.
- Can be queried for a log of recent transactions.
- Can be queried to verify a user is a ForumCoin member.
- Can be queried to verify a users balance.
- Can be sent FC users information + Transaction key (for sender) to send FC$.
- Has API credentials to prevent overloading.


Ultimately, each API request should have a small charge (like .2 FC$) to encourage efficient code.

Some challenges:
- JSON or XML output?


_____________________________

I can't see anything different between a standard PM and a donation PM.... :(


Yes and thank you for your kind comment. In order to achieve what you stated, only official ForumCoin can do it. Only they can create API that have access key which is not user password. I don't see any need for JSON output but I will try to implant it.

I come up with an idea to track if a PM is legit or not. That is ... for the 'business' to verify the 'transaction' amount with the old balance. However this can only work if the business keep track of their ForumCoin transaction in their own database.

Code: Select all
If oldBalance (input from the business) + transactionAmount (fetch from message ID) == newBalance (fetch from ForumCoin.com) then
    valid transaction
else
    invalid transaction


oldbuddy wrote:I always figure if it ain't broke, don't fix it.

From my point of view, it ain't broke.

I don't pay a dime to participate here, so I can't see where I have a thing to lose.


I don't understand. :roll:.
  • 0

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162

Re: Scraping ForumCoin [Very buggy]

Postby Hugop » 18 Jul 2016, 07:16

You used a similar method to mines :P

Here is what you could do:
From watching (haven't tested yet), there seem to be weird uses like $this->token = strrev(substr(strrev(substr(htmlspecialchars($this->token), but the biggest issue is the FetchFC reading PMs.

I assume you did that because you need a bigger script storing the other user's username etc. Here is a tip: Use the comment system to generate an unique ID to detect transations.

Another security issue is that we are saving our login details on fetchFC, we should save the cookie instead and, if the code does not work, phpmail us (only once) to set it back.
  • 1

User avatar
Hugop
 
Posts: 774
Location: Luxembourg
Referrals: 4
ForumCoin: 1

Re: Scraping ForumCoin [Very buggy]

Postby jacktheking » 18 Jul 2016, 12:35

Hugop wrote:You used a similar method to mines :P

Here is what you could do:
From watching (haven't tested yet), there seem to be weird uses like $this->token = strrev(substr(strrev(substr(htmlspecialchars($this->token)


Thank you for your comments. It is very helpful and I will really consider.

This is used because I need to scrape the send token. Without the send token, ForumCoin will give me an error when sending ForumCoin. If I give a wrong send token, I will receive an error too. So what I did was to use simple_html_dom.php to scrape hidden form field containing "form_token". Then I used substr to take away the HTML of the front part. I then strrev the string and substr the backpark. Lastly, I strrev back to the normal words.

Hugop wrote:but the biggest issue is the FetchFC reading PMs.

I assume you did that because you need a bigger script storing the other user's username etc. Here is a tip: Use the comment system to generate an unique ID to detect transations.


It would be good if you can tell me how to use the comment system (you mean logs?) to generate unique IDs.

Hugop wrote:Another security issue is that we are saving our login details on fetchFC, we should save the cookie instead and, if the code does not work, phpmail us (only once) to set it back.


I do not understand this part. As for the login details and cookie, I only save the cookie in a randomly generated file. Then the script will delete the .txt cookie file for security purpose. Will be good if you can explain this part more so I can understand.
  • 0

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162

Re: Scraping ForumCoin [Very buggy]

Postby Hugop » 20 Jul 2016, 07:27

jacktheking wrote:It would be good if you can tell me how to use the comment system (you mean logs?) to generate unique IDs.

This thing right here :P
Image
jacktheking wrote:I do not understand this part. As for the login details and cookie, I only save the cookie in a randomly generated file. Then the script will delete the .txt cookie file for security purpose. Will be good if you can explain this part more so I can understand.

Your script does this on fetchFC:

1. Logs in.
2. Save cookies.
3. Sends FC
4. Removes cookies

You could remove the first, second and forth step by just saving the cookie.

If someone gets access to your file, he has:

1. Access to your account.
2. Your password.

But with access of your cookies:

1. Access to your account. Can't change password because he needs the old one.

Meaning a connection via cookies is more safe and lightweight :P

EDIT: Another thing worth mentioning: If he accesses your account using cookies, the script and your cookie won't work, meaning you know someone accessed your account.
  • 0

User avatar
Hugop
 
Posts: 774
Location: Luxembourg
Referrals: 4
ForumCoin: 1

Re: Scraping ForumCoin [Very buggy]

Postby jacktheking » 21 Jul 2016, 10:12

Hugop wrote:[snip]


Still confused with what you are trying to explain. Kindly point me to the right direction and ways of scraping.

How can I save the cookie without logging in?
  • 0

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162

Re: Scraping ForumCoin [Very buggy]

Postby Hugop » 21 Jul 2016, 11:17

By logging in a single time. Make another class :P
  • 0

User avatar
Hugop
 
Posts: 774
Location: Luxembourg
Referrals: 4
ForumCoin: 1

Re: Scraping ForumCoin [Very buggy]

Postby jacktheking » 24 Jul 2016, 13:34

Hugop wrote:By logging in a single time. Make another class :P


Logging in a single time and then save the cookie? When to delete the cookie file? And how do I do it? Sorry still new to this kind of thing.
  • 0

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162

Re: Scraping ForumCoin [Very buggy]

Postby Hugop » 29 Jul 2016, 08:37

jacktheking wrote:Logging in a single time and then save the cookie?

Yes, that script is in every single class already, just copy paste and turn it into a new class.
jacktheking wrote:When to delete the cookie file?

You don't, but you can do a class for that, if the user of the script wants to access a different account, etc.
jacktheking wrote:And how do I do it? Sorry still new to this kind of thing.

Since it is for fetchFC, you just save the cookie serversided as you did using something like
curl_setopt($this->ch, CURLOPT_COOKIEJAR, 'cookie.txt');
To store into a fixed file. This means cookie.txt should not be readable, meaning you should store it into a DB or use htaccess to block guests from viewing it.
  • 0

User avatar
Hugop
 
Posts: 774
Location: Luxembourg
Referrals: 4
ForumCoin: 1

Re: Scraping ForumCoin [Very buggy]

Postby jacktheking » 26 Aug 2016, 15:20

Hugop wrote:
jacktheking wrote:Logging in a single time and then save the cookie?

Yes, that script is in every single class already, just copy paste and turn it into a new class.
jacktheking wrote:When to delete the cookie file?

You don't, but you can do a class for that, if the user of the script wants to access a different account, etc.
jacktheking wrote:And how do I do it? Sorry still new to this kind of thing.

Since it is for fetchFC, you just save the cookie serversided as you did using something like
curl_setopt($this->ch, CURLOPT_COOKIEJAR, 'cookie.txt');
To store into a fixed file. This means cookie.txt should not be readable, meaning you should store it into a DB or use htaccess to block guests from viewing it.


Wouldn't it also be insecure? If someone somehow manage to gain access to the database they will be able to receive the cookie information. Saving it to a blocked file sound good but hackers might also be able to bypass that somehow. My way also have a vulnerable - that is, hacker gain access to the PHP file and can see the username and password.
  • 0

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162



Your Ad Here.

Return to ForumCoin Related Discussions



Who is online

Users browsing this forum: Claude [Bot] and 1 guest

Reputation System ©'