SlideShare a Scribd company logo
Winners United STWC Result
Team Walk Without Rhythm
September 29, 2016
Do Not Launch.
Security Bug: Emails exposed
Our security testing uncovered a list of all other
users emails!
Performance Bug: Site crashes
Other Security Considerations
● Review all JSON objects sent to the browser to ensure no sensitive data is leaked.
● Even though the site implements HTTPS, it still lacks some of industry standard practices for
security, such as
○ HSTS
○ Secure Cookies,
○ Click-jacking prevention
● The site showed performance/availability issues quickly under moderate load, which makes it
very vulnerable to DOS attacks.
Legal Bug: Missing Terms & Conditions
The Terms and Conditions
page was blank. This may
leave you vulnerable to
legal ramifications.
Usability Bug: Confusing site
Given more time, we would get to know the site well enough to report more
intricate bugs regarding betting rules and calculations.
Bug Summary
Team
Participant Browser Operating System
Nawwar Kabbani Firefox 48.0.2 (64-bit) Windows 10
Claire Moss Chrome 52.0.2743.116 m Windows 8
Curtis Pettit Chrome 52.0.2743.116 m
(64-bit)
Windows 10
Elizabeth Zagroba Chrome 49.0.2623.112 OS X 10.7.5

More Related Content

What's hot

HTTPS
HTTPSHTTPS
BdxCoin #7 : Scalability you said ? 22-10-2014
BdxCoin #7 : Scalability you said ? 22-10-2014BdxCoin #7 : Scalability you said ? 22-10-2014
BdxCoin #7 : Scalability you said ? 22-10-2014
bdxcoin
 
How to secure nginx server using fail2ban on Centos-7
How to secure nginx server using fail2ban on Centos-7How to secure nginx server using fail2ban on Centos-7
How to secure nginx server using fail2ban on Centos-7
Bhadreshsinh Gohil
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
Csaba Kiss
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp
 
Safer Online Communication
Safer Online CommunicationSafer Online Communication
Safer Online Communication
Maja Kraljič
 
ClusterDesktop how-to use from iPhone / iPad
ClusterDesktop how-to use from iPhone / iPadClusterDesktop how-to use from iPhone / iPad
ClusterDesktop how-to use from iPhone / iPad
Emil Parashkevov
 

What's hot (7)

HTTPS
HTTPSHTTPS
HTTPS
 
BdxCoin #7 : Scalability you said ? 22-10-2014
BdxCoin #7 : Scalability you said ? 22-10-2014BdxCoin #7 : Scalability you said ? 22-10-2014
BdxCoin #7 : Scalability you said ? 22-10-2014
 
How to secure nginx server using fail2ban on Centos-7
How to secure nginx server using fail2ban on Centos-7How to secure nginx server using fail2ban on Centos-7
How to secure nginx server using fail2ban on Centos-7
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
 
Safer Online Communication
Safer Online CommunicationSafer Online Communication
Safer Online Communication
 
ClusterDesktop how-to use from iPhone / iPad
ClusterDesktop how-to use from iPhone / iPadClusterDesktop how-to use from iPhone / iPad
ClusterDesktop how-to use from iPhone / iPad
 

Similar to Software Testing World Cup 2016

WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
Ericom Software
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
James Bromberger
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
JosephTesta9
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
Priyanka Aash
 
Google chrome
Google chromeGoogle chrome
Google chrome
Suresh Thammishetty
 
Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...
OutSystems
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
Web browsertico
Web browserticoWeb browsertico
Web browsertico
tico3195
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConf
Maarten Balliauw
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
Duo Security
 
OTG-Recon
OTG-ReconOTG-Recon
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Cc proxy
Cc proxyCc proxy
Cc proxy
Cc proxyCc proxy
CSU33012-I-microservices.pdf
CSU33012-I-microservices.pdfCSU33012-I-microservices.pdf
CSU33012-I-microservices.pdf
Ricky Garg
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
Magno Logan
 
Web browsers
Web browsersWeb browsers
Web browsers
Nathalia Sanchez
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
Matt Johansen
 

Similar to Software Testing World Cup 2016 (20)

WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
 
Google chrome
Google chromeGoogle chrome
Google chrome
 
Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...Training Webinar: Enterprise application performance with server push technol...
Training Webinar: Enterprise application performance with server push technol...
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
 
Web browsertico
Web browserticoWeb browsertico
Web browsertico
 
How it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConfHow it's made - MyGet.org - AzureConf
How it's made - MyGet.org - AzureConf
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
 
OTG-Recon
OTG-ReconOTG-Recon
OTG-Recon
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Cc proxy
Cc proxyCc proxy
Cc proxy
 
Cc proxy
Cc proxyCc proxy
Cc proxy
 
CSU33012-I-microservices.pdf
CSU33012-I-microservices.pdfCSU33012-I-microservices.pdf
CSU33012-I-microservices.pdf
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Web browsers
Web browsersWeb browsers
Web browsers
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 

More from Claire Moss

Everything You Wanted To Know About DevOps But Were Afraid To Ask
Everything You Wanted To Know About DevOps But Were Afraid To AskEverything You Wanted To Know About DevOps But Were Afraid To Ask
Everything You Wanted To Know About DevOps But Were Afraid To Ask
Claire Moss
 
Time to Good DX
Time to Good DXTime to Good DX
Time to Good DX
Claire Moss
 
Walking Skeletons, Butterflies, & Islands
Walking Skeletons, Butterflies, & IslandsWalking Skeletons, Butterflies, & Islands
Walking Skeletons, Butterflies, & Islands
Claire Moss
 
Engage: agile collaboration on testing
Engage: agile collaboration on testingEngage: agile collaboration on testing
Engage: agile collaboration on testing
Claire Moss
 
Blow your Mind! Mindmap automation in Node
Blow your Mind! Mindmap automation in NodeBlow your Mind! Mindmap automation in Node
Blow your Mind! Mindmap automation in Node
Claire Moss
 
Refactoring Test Collaboration
Refactoring Test CollaborationRefactoring Test Collaboration
Refactoring Test Collaboration
Claire Moss
 
Big Visible Testing
Big Visible TestingBig Visible Testing
Big Visible Testing
Claire Moss
 

More from Claire Moss (7)

Everything You Wanted To Know About DevOps But Were Afraid To Ask
Everything You Wanted To Know About DevOps But Were Afraid To AskEverything You Wanted To Know About DevOps But Were Afraid To Ask
Everything You Wanted To Know About DevOps But Were Afraid To Ask
 
Time to Good DX
Time to Good DXTime to Good DX
Time to Good DX
 
Walking Skeletons, Butterflies, & Islands
Walking Skeletons, Butterflies, & IslandsWalking Skeletons, Butterflies, & Islands
Walking Skeletons, Butterflies, & Islands
 
Engage: agile collaboration on testing
Engage: agile collaboration on testingEngage: agile collaboration on testing
Engage: agile collaboration on testing
 
Blow your Mind! Mindmap automation in Node
Blow your Mind! Mindmap automation in NodeBlow your Mind! Mindmap automation in Node
Blow your Mind! Mindmap automation in Node
 
Refactoring Test Collaboration
Refactoring Test CollaborationRefactoring Test Collaboration
Refactoring Test Collaboration
 
Big Visible Testing
Big Visible TestingBig Visible Testing
Big Visible Testing
 

Recently uploaded

IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
Global Agile Consulting- CLL-Group, LLC
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
paysquare consultancy
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
 
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
MarceloMiranda38200
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Torry Harris
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 

Recently uploaded (20)

IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
ScrumGathering New Orleans 2024 Catherine Louis.pdf
ScrumGathering New Orleans 2024  Catherine Louis.pdfScrumGathering New Orleans 2024  Catherine Louis.pdf
ScrumGathering New Orleans 2024 Catherine Louis.pdf
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
The Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdfThe Role of Technology in Payroll Statutory Compliance (1).pdf
The Role of Technology in Payroll Statutory Compliance (1).pdf
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
 
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
Overview of Enterprise-scale landing zones using Cloud Adoption Framework Rea...
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
Gen-AI in Telcos: Strategies, Challenges & Impact | Torry Harris Integration ...
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 

Software Testing World Cup 2016

  • 1. Winners United STWC Result Team Walk Without Rhythm September 29, 2016
  • 3. Security Bug: Emails exposed Our security testing uncovered a list of all other users emails!
  • 5. Other Security Considerations ● Review all JSON objects sent to the browser to ensure no sensitive data is leaked. ● Even though the site implements HTTPS, it still lacks some of industry standard practices for security, such as ○ HSTS ○ Secure Cookies, ○ Click-jacking prevention ● The site showed performance/availability issues quickly under moderate load, which makes it very vulnerable to DOS attacks.
  • 6. Legal Bug: Missing Terms & Conditions The Terms and Conditions page was blank. This may leave you vulnerable to legal ramifications.
  • 7. Usability Bug: Confusing site Given more time, we would get to know the site well enough to report more intricate bugs regarding betting rules and calculations.
  • 9. Team Participant Browser Operating System Nawwar Kabbani Firefox 48.0.2 (64-bit) Windows 10 Claire Moss Chrome 52.0.2743.116 m Windows 8 Curtis Pettit Chrome 52.0.2743.116 m (64-bit) Windows 10 Elizabeth Zagroba Chrome 49.0.2623.112 OS X 10.7.5