OpenSea

Build your own marketplace in minutes

OpenSea provides a one-stop shop for creating your own customizable marketplace for your non-fungible token (NFT) project. Allow users to smoothly buy and sell your items, get custom stats and analytics, and earn revenue when your items get traded.

Guides
Ask A Question

Questions

4
ANSWERED

Struggling with how to get only autctions that are current from the order API + API results capped?

When I log in to opensea, I see something along the lines of 7 million results when I query collection_slug=gods-unchained. Im trying to accumulate all open orders through the API. Testing the waters, I have one set of criteria that pages through 10500 records at 50 records a page and then I get a bad request from the API call that is being made. ex. 1: https://api.opensea.io/wyvern/v1/orders?bundled=false&include_bundled=false&include_invalid=false&limit=50&offset=5300&collection_slug=gods-unchained If I change the criteria, and therefore change the records that I am paging over, I page through exactly 10500 records and dead again: ex. 2: https://api.opensea.io/wyvern/v1/orders?bundled=false&include_bundled=false&include_invalid=false&limit=50&offset=5300&collection_slug=gods-unchained&is_english=false&only_english=false&sale_type=0 I would expect from what I read in the API guide that the call in ex. 1 would show all listings and the call in ex.2 would only show FOR SALE listings(doesnt seem to be working that way - here is one of the results that is returned from ex.2 - an AUCTION - https://opensea.io/assets/0x0e3a2a1f2146d86a604adc220b4967a898d7fe07/46362204) Question 1: How can I form an API call to get an accurate list of orders that are current FOR SALE type auctions only? The second GET request that is shown implements everything I could find in the API manual to get a list of FOR SALE only, NON-AUCTIONS, yet the data set I pull down after paging through the results contains AUCTIONS, which I do not currently want to see. Question 2: Is there a rate limit or cap that is preventing me from pulling over 10500 records? Seems very suspect that both GET calls convienently stop at the same place no matter what my criteria is. Could it be that there is only 10500 records even though it shows 7 million in the UI? Thank you in advance!

Posted by Robert Ogden 27 days ago

0

Subject: POTENTIAL VULNERABILITY REPORT [ 1 ] :: Clickjacking Found at login page

Hello Security, This is Hassan here with the bug report. Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. IMPACT: An attacker can host this domain in other evil site by using iframe and if a user fill the given filed it can directly redirect as logs to attacker and after its redirect to your web server.. its lead to steal user information too and use that host site as phishing of your site its CSRF and Clickjacking. POC 1.Open URL : https://opensea.io/wallet/install?referrer=%252Faccount 2.put the url in the below code of iframe <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title>i Frame</title> </head> <body> <h3>This is clickjacking vulnerable</h3> <iframe src= "https://opensea.io/wallet/install?referrer=%252Faccount" frameborder="2 px" height="500px" width="500px"></iframe> </body> </html> 3.Observe that site is getting displayed in Iframe Impact: By using Clickjacking technique, an attacker hijack's click's meant for one page and route them to another page, most likely for another application, domain, or both. Remediation: Frame busting technique is the better framing protection technique. Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains Please check this issue. Hoping to receive appreciation for responsibly reporting this bug I m waiting for your response. Kind regards Hassan

Posted by Hassan Abbas about a month ago