WAMP_Y3Proj

Final Report

Bitcoin Exchange Platform

---

04/2021

---

Content

1. Database structure

2. Backend

3. Frontend

4. Infrastructure

5. Security

6. Difficulties encountered

Sources Code :https://github.com/HoiDam/WAMP_Y3Proj

Pdf version is also uploaded

1. Database Structure

• Done at Mar 8
• 5 tables

1. Wallet (Storing wallet data)
2. User (Storing user data e.g., email, password)
3. Session (Storing login session data, e.g. token)
4. Transaction (storing transaction between 2 users' data)
5. Address (Storing bitcoin data e.g. public key, private key

2. Backend

1. Backend Structure

• Done on Mar 15
• Using PHP 5.6.40
• Framework:

Slim 3.0 (Routing RESTful API)

Blockcypher PHP client 1.5 (required official API)

• Hosting at Apache

1. Backend Coding (Folder structure)

• Under www/php storing the backend code
• 
• index.php under Public storing api routes
• 
• .htaccess restructure the route of Apache
• Function folder storing the function that api will call

1. Backend Coding (index.php)

• We will call the api by (hostname/php/public) + the path + the ,method(post/get?)

• With the json format + header to transmit the data

• If the connection okay, the api return two parameters msg(depends , usually data) , status (success/ failed)

• 

• 

  1. Backend Coding (function folder)

The function will be called when the parameters is valid

/public/index.php

/function/blockcypher.php

3. Frontend

1. Frontend Structure

• Done at Apr 5
• Using HTML5+CSS+JavaScript
• Main Framework:

React Redux (Control State, Login etc)

React Router (Control URL pathing)

Material UI (CSS framework, UI design)

• Hosting at Apache

  1. Frontend Coding (Folder Structure before built)

• This is only view for development

• Codes storing at src (most of them are .js)

• Folder actions,auth,services,sagas,store doing the Redux to control login/ register state

• Utils storing service like cookie

• Container store routing setting

• Main storing main page

src folder

Frontend Coding (Folder Structure after built)

• Under www/php storing the frontend code

• index.html storing the main structure

• .htaccess restructure the route of Apache

• Since this is generated by webpack not many explanations here

• 

  Frontend (cookie)

• Storing cookie as a function

• If need then call setCookie or getcookie

• The function using vanilla cookie api (document.cookie) to generate

• Default expire time = 2hours (same as db setting)

• 

  Frontend (Routing)

• Mainly 4 routes before login success

• /app would be the base of all routes

1. / -> welcome page
2. /login -> login page
3. /register -> register page
4. /register/confirm -> register success page

• The fifth route would be login success redirect /main

Frontend (Routing 2)

• Mainly 4 routes after login success
• /app would be the base of all routes

1. /home -> home page
2. /daw -> deposit/withdrawl page
3. /bas -> buy/sell page
4. /setting-> setting page

Frontend (Welcome page)

• Two options
• Login / register

1. Frontend (Login page)

• Login with

Email address

Password

Valid reCAPTCHA

• If success -> redirect main page (with received token from api)

• (token stored at cookie)

• If failed -> show error message

• 

  Frontend (Register page)

• Register with

Email address

Password (double confirm)

Nickname

address

Valid reCAPTCHA

• If success -> redirect register success page

• If failed -> show error message

1. Frontend (Register success page)

• Success screen

1. Frontend (homepage)

All page with /main can access the left bar

Logout button clear cookie + redirect to path /app/

1. Frontend (deposit and withdrawal page)

• The upper showing the current funds the user have

• Insert amount and drag a file to deposit

• 

  1. Frontend (deposit and withdrawal page)

• Insert amount to withdrawal

• If success -> able to download invoice (pdf)

• 

  1. Invoice

Showing Address Email etc

1. Frontend (buy and sell page)

• 3 parts

1: transaction history

2: create transaction

3: current balance check

1. Frontend (buy and sell page) Transaction history

• Showing all transaction history that related to the user
• Buy/sell
• From which address?
• To which address?
• Bitcoin amount?
• Funds amount?
• Status?

If (requested and from_user -> can cancel)

if (requested and to_user -> can accept or decline)

• Other relevant info

All real transactions happen when the to_user pressed accept.

If not , nothing happen

Frontend (buy and sell page) Create Transaction

• Input the following data to create a transaction

• If the target address is belongs to someone, that user can view the record just like above mentioned

• All info is under validation e.g., amounts must >0

• 

  Frontend (buy and sell page) Balance Query

• Showing balance

• Insert the address to query address detail E.g., n1s9……

• 

• 

• 

  Frontend (setting page)

• 3 parts

1: profile info displays Not explaining 1 cause too simple

2: change password

3: wallet address binding

1. Frontend (setting page) Change password

• Simple change password function

• Insert old password
• Double insert new password If not match pop error

Frontend (setting page) Wallet address binding

• Showing wallet list
• Add wallet / delete wallet function
• After pressing the red circle detail function button ->

go watch wallet address binding 2

Frontend (setting page) Wallet address binding 2

• You can see the addresses in wallet 1
• You can delete address
• After pressing the red circle add function button ->

go watch wallet address binding 3

Frontend (setting page) Wallet address binding 3

• Add your address by this 4 parameters

1. Bitcoin address
2. Private key
3. Public key
4. Wif

4. Infrastructure

• Your public IP 218.253.12.22
• Exposed Kali Attacker VM SSH port at public (if you changed from 22/tcp to something else) 22
• Kali Attacker VM's local IP (bridged to your home router network) 192.168.31.109
• Host's IP (also should be under your home router network) 192.168.31.19
• pfSense NIC1 (WAN) IP (should be under your home router network, you should be able to access to your Web Application by typing this IP at your Host) 192.168.31.218
• Web Server / DB VM (optional) local IP (under your pfSense LAN) 192.168.153.1

5. Security

1. Security (pfsense)

• Only port forward 443 in

• Changing rules in 443
• Prevent flooding

1. Security (SSL)

• Binding ssl to my domain name to Secure
• Domain sponsored by : freenom.com

• SSL sponsored by : ssl.com

• SSL files installed in WAMP:

1. Security (Apache Defend)

• Download mod (security library from open source web)

• Move the file in this folder
• 

Change code in httpd.conf

Reqtime_module can defend most of the HTTP attack

Evasive2 + pfsense firewall can defend flooding (TCP/IP) attack

1. Security (Kali Penetration Test)

Flooding pass

slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://192.168.31.218 -x 24 -p 3

Pass at 20s

slowhttptest -c 3000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u https://192.168.31.218 -x 10 -p 3

Pass at 80s

Web Vulnerabilities Check

Before :

After :

Fix 1 :

Remove the script not belong to my site (reference script)

Fix 2 :

Adding the content type

Fix 3 : Remove library viewable to public

6. Difficulties encountered

Difficulty 1 : Blockcypher php library deprecated

Since the version too old and it become private repo in github, we cant use composer install to install the library

Solution :

Manually install with changing config in the library file

Used 2 days to research and change

Difficulty 2 : Web routing problem

NPM webpack host is different from apache host

Solution :

Test every route combination and adding basename to the /app/ = success

Diffculty 3 : home router port forwarding

Don't know why the port forwarding is set but still not working

Solutions:

Find out that xiaomi router have to turn off UPnP setting .