At present, the mobile Internet, the blockchain more and more, in the blockchain security, a lot of the existence of the website vulnerability, the recharge of the blockchain and withdraw, the membership account of the storage of XSS theft vulnerability, account security, and so on these blockchain loopholes, we sine security to its collation and summary. At present the whole Blockchain website Security market demand is quite big, many blockchain website, also called digital currency platform, as well as digital virtual currency, virtual wallet, blockchain wallet, the whole blockchain site architecture is divided into 5 layers, the first layer is the application layer of blockchain: sub-distribution mechanism, distribution mechanism. The second layer is the excitation layer, the third layer is the consensus layer: POW, the fourth layer is the peer-network, blockchain transmission mechanism, security authentication mechanism. The fifth layer is the data layer: chunked data, chained structure, digital signature, hash function, Merkle tree, asymmetric encryption.
In our sine security to the blockchain website security detection, and the process of security infiltration, found a lot of web site vulnerabilities, for the blockchain vulnerability we summarized as follows: The general presence of Web site vulnerability exists in the site of the logical loophole, in the member registration, member login, blockchain address management: Like charge, transfer, coin. Escrow, buy and sell (futures, Fiat, Ethereum, bitcoin, etc.) account password Security (change password, SMS verification), third-party payment platform (API interface payment). Among the actual security tests, the vulnerabilities that are more easily identified are as follows:
Storage Cross-site vulnerability for member accounts
Block chain CSRF Vulnerability
In the digital currency trading platform We log in to the member account, the currency of the transaction, the operation of the transfer of money, you can not enter the password to directly submit the transfer currency operation, ignoring the password. The currency's form does not protect it, leading to a serious vulnerability, which can be easily exploited by attackers.
Charging, currency loopholes
In the blockchain platform, many websites do not securely filter the form of the charge, resulting in the construction of negative numbers, post submitted to the blockchain server, when the currency of the coin can cause negative numbers, resulting in increased currency.
The transfer address was tampered with maliciously
EVM in the determination of the transfer address, there is no filter tail of the number 0, resulting in the transfer of other people to the operation may find the change in the address of the currency, the attacker can use this way to transfer coins, the risk is greater.
How to fix the above Blockchain website vulnerability?
On the form of the functional operation of the member such as coin, currency, purse, buy, sell and so on, carry on the security filtering, get,post the data of the submission way of the method strictly, check the parameter of the user input and input value, and prevent the malicious construction parameter to submit to the server side.
Web site vulnerability detection for Blockchain site security analysis