PERPCasino.com

[Jack P]

Though theres another downside to that, if he "Forgets" to change the code aswell, people would constantly need access to the files themselfs to make sure, someone trusted.

 

[TinySlayer]

I'm rich!

Edit: He reset my cash, very sad

 

[Hayden]

I found a negative number bug but I think it's been somewhat fixed

 

[A1L]

"Stop being a dickhead " haha

 

[flugs]

Yeah there’s no real way for him to prove it’s legit, just gotta trust him.

 

[CensoredExe]

Someone managed to get -9999999 before I fixed it

 

[.....]

I did it first smh

 

[wyxez]

@flugs There's no real way even though I suggested a real way?

 

[CensoredExe]

I gave you CPanel access to verify the 50/50 claims not to give yourself cash

 

[flugs]

@wyxez Didn’t read that, on my phone, sorry buddy. Yeah that looks like the most fair way it can be done.

 

[Sneaky]

love the concept but please stop checking all inputs clientside ;-;

this sounds very secure too

 

[FatGeorge]

looking good

 

[Deleted member 6228]

Implement Provably fair, but until then this is sketch AF and don't use it

 

[TinySlayer]

Hello,

As requested by @CensoredExe, I have reviewed the code and discovered the following findings:

• Due to the use of rand(0, 100) < 50, the house wins 51 times for 50 losses. This means a players probability of winning is approximately 49.5%.
  • Edit: @CensoredExe has edited the code so that it is no 50:50. However, as this change was not visible to users, this simply demonstrates the below point further.
• There is no method of verifying that an individual bet transaction was using this probability. It is possible that the site administrators can change the probability for individual transactions or individual users.
• All IP addresses for users are logged and viewable by site administrators.
• Site administrators have the ability to edit transaction history and account balances without any record of this happening.
• There is no method of verifying if the site administrators have enough money to pay back any money deposited.
• Passwords are stored and hashed using the default PHP password hashing methods. They are not currently stored in a raw format.
• There are various SQL injection vulnerabilities on the administration pages. They are unlikely to be exploitable by non-administrators I have highlighted these to @CensoredExe.
• Site administration functionality does not use CSRF tokens, so the ability to manage accounts is vulnerable. This means it is possible for someone to deposit a fake amount of money onto the casino.

All of this is true at the time of writing. Some of these findings may change in the future.

Based on this, I am not in a position to verify the trustworthiness of the website, or it's legality.

This third part website is not endorsed by the Perpheads Development team.

I will be happy to re-review this at a future stage if changes are made.

 

[andreW]

POG

 

[roxie]

Pretty sure you cannot log IP addresses without the user's permission. Also, you should use a framework. Don't try to implement your own security system, its useless to reinvent the wheel. If you don't want a large one bloated with too many features, there are a vast array of lightweight ones out there, even for the devil's language: php.
@CensoredExe

 

[Sneaky]

IP adresses under GDPR may be logged if you can argue it's nessesary for the security of the site

 

[roxie]

@Sneaky this does not seem to be the case as this website doesn't contain sensitive information. And if so, there should be an option to completely delete all the information they have store about a user (and also to download all of it).

 

[Sneaky]

@roxie that i fully agree with

 

[CensoredExe]

Its all done serverside