Onion Information

Page Clicks: 0

First Seen: 05/07/2024

Last Indexed: 10/25/2024

Domain Index Total: 164

- Non-hackers don’t understand why i disclose like I do, if I do. Experience shows “name & shame” is the only effective means of doing anything about these things, the downside will have to survive risking becoming radioactive to anyone.. I’ll manage. I want to note I was not after praise or reward, but to secure vendors I use and end this childish idiocy perpetrated by alto and the kindergartem mafia. Det Norske Market Initially I thought what a good intitive. Then I took a closer look and got horrified. Ony nearly every single page I’ve found security holes ranging from RCE, SQLi, XXE, XSS, CSRF, click jacking, misconfigured security headers, info leaks, buffer overflows in the webserver, the script interpeter as well as the OS itself and more, like using the weakest possible Onion v1 protocol, but thankfully now updated to Onion v3. This is a disaster waiting to happen. Upon disclosing the first few serious bugs that yielded full database access and more, some cheered, some rewarded me, other ignorant fucks insulted me for trying to help them have a secure market place and beat LEO to the punch. I even contacted them to offer help, only to get ignored. The bugs enable attackers to gain control over database, system access, acess to vendor accounts, steal login information, hijack sessions, and while this post won’t reveal the worst of them i willl show a few examples typical of inexpereinced web “programmers”. I’ve been breaking web apps and such for a living for long, long time, but it has been many years since i saw anything as bad as this. Full control can be obtained within hours. The examples I have chosen to display are the least bad of them . The reason for this is that I do not want to make it easy for LEO or thieves to fuck things over, even though the admins seem to manage doing that themselves. :) Example 1: info leak Note: The real IP is not disclosed here, even though I have it. Also note the oudated and vulnerable server software, this includes the mysql backend. WinNT32 is quite literally neanderthal technology by now, and an OS LEO has a plethora of tools to attack with thanks to NSO & Co Example 2: XSS in their ddos protection page, so cute. Example 3: On the inside :) - Dr-Gonzo Hate It or Love It, the underdog’s on top And I’m gon’ shine, homie, until my heart stop Go ‘head envy me, I’m rap’s M.V.P And I ain’t going nowhere, so you can get to know me.