XSS payload from an active vulnerability. What was bypassed with it? ⤵️
javanoscript:a=document;alert('\@example.com/|'+a.domain);
javanoscript:a=document;alert('\@example.com/|'+a.domain);
Anonymous Poll
21%
Text input URL validation
23%
WAF
56%
Text input URL validation + WAF
🔥5👍3
Broken Authentication Session Token Bug
👉 https://hackerone.com/reports/948345
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #the_hacker_girl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 16, 2022, 11:43pm (UTC)
👉 https://hackerone.com/reports/948345
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #the_hacker_girl
🔹 State: 🟢 Resolved
🔹 Disclosed: February 16, 2022, 11:43pm (UTC)
Missing SPF record on trycourier.app
👉 https://hackerone.com/reports/1416701
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #musab_alharany
🔹 State: ⚪️ Informative
🔹 Disclosed: February 17, 2022, 6:36am (UTC)
👉 https://hackerone.com/reports/1416701
🔹 Severity: Medium
🔹 Reported To: Courier
🔹 Reported By: #musab_alharany
🔹 State: ⚪️ Informative
🔹 Disclosed: February 17, 2022, 6:36am (UTC)
Subdomain Takeover of brand.zen.ly
👉 https://hackerone.com/reports/1474784
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #mega7
🔹 State: 🟢 Resolved
🔹 Disclosed: February 17, 2022, 10:09am (UTC)
👉 https://hackerone.com/reports/1474784
🔹 Severity: Medium | 💰 750 USD
🔹 Reported To: Zenly
🔹 Reported By: #mega7
🔹 State: 🟢 Resolved
🔹 Disclosed: February 17, 2022, 10:09am (UTC)
👍1
Уязвимость в приложении для Android
👉 https://hackerone.com/reports/1343528
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: February 18, 2022, 7:09pm (UTC)
👉 https://hackerone.com/reports/1343528
🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: VK.com
🔹 Reported By: #executor
🔹 State: 🟢 Resolved
🔹 Disclosed: February 18, 2022, 7:09pm (UTC)
👏3
Self XSS in Create New Workspace Screen
👉 https://hackerone.com/reports/1442017
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Mattermost
🔹 Reported By: #rynexxx
🔹 State: 🟢 Resolved
🔹 Disclosed: February 20, 2022, 9:08am (UTC)
👉 https://hackerone.com/reports/1442017
🔹 Severity: Low | 💰 50 USD
🔹 Reported To: Mattermost
🔹 Reported By: #rynexxx
🔹 State: 🟢 Resolved
🔹 Disclosed: February 20, 2022, 9:08am (UTC)
███ Page has a link to a google drive which has access to not only logos but also customer phone recordings
👉 https://hackerone.com/reports/864712
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Zomato
🔹 Reported By: #codersanjay
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 8:15am (UTC)
👉 https://hackerone.com/reports/864712
🔹 Severity: Medium | 💰 200 USD
🔹 Reported To: Zomato
🔹 Reported By: #codersanjay
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 8:15am (UTC)
👍1
Remote memory disclosure vulnerability in libcurl on 64 Bit Windows
👉 https://hackerone.com/reports/1444539
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nsq11
🔹 State: ⚪️ Informative
🔹 Disclosed: February 21, 2022, 9:15am (UTC)
👉 https://hackerone.com/reports/1444539
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nsq11
🔹 State: ⚪️ Informative
🔹 Disclosed: February 21, 2022, 9:15am (UTC)
De-anonymize anonymous tips through the Tumblr blog network
👉 https://hackerone.com/reports/1484168
🔹 Severity: Medium | 💰 450 USD
🔹 Reported To: Automattic
🔹 Reported By: #ajoekerr
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 2:58pm (UTC)
👉 https://hackerone.com/reports/1484168
🔹 Severity: Medium | 💰 450 USD
🔹 Reported To: Automattic
🔹 Reported By: #ajoekerr
🔹 State: 🟢 Resolved
🔹 Disclosed: February 21, 2022, 2:58pm (UTC)
████ api key exposed in github.com/███/███
👉 https://hackerone.com/reports/1454965
🔹 Severity: High
🔹 Reported To: 8x8
🔹 Reported By: #adnanmalikinfo
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:19am (UTC)
👉 https://hackerone.com/reports/1454965
🔹 Severity: High
🔹 Reported To: 8x8
🔹 Reported By: #adnanmalikinfo
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:19am (UTC)
😢2💩1
Claiming the listing of a non-delivery restaurant through OTP manipulation
👉 https://hackerone.com/reports/1330529
🔹 Severity: Critical | 💰 3,250 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 8:51am (UTC)
👉 https://hackerone.com/reports/1330529
🔹 Severity: Critical | 💰 3,250 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 8:51am (UTC)
🔥2🥰1
FULL SSRF
👉 https://hackerone.com/reports/1241149
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 9:09am (UTC)
👉 https://hackerone.com/reports/1241149
🔹 Severity: Low
🔹 Reported To: Acronis
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 9:09am (UTC)
🔥1
broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up)
👉 https://hackerone.com/reports/1401891
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #uddeshaya
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 2:28pm (UTC)
👉 https://hackerone.com/reports/1401891
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: QIWI
🔹 Reported By: #uddeshaya
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 2:28pm (UTC)
👍1😁1
IDOR in "external status check" API leaks data about any status check on the instance
👉 https://hackerone.com/reports/1372216
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:48pm (UTC)
👉 https://hackerone.com/reports/1372216
🔹 Severity: Medium | 💰 610 USD
🔹 Reported To: GitLab
🔹 Reported By: #joaxcar
🔹 State: 🟢 Resolved
🔹 Disclosed: February 22, 2022, 7:48pm (UTC)
Incorrect authorization to the intelbot service leading to ticket information
👉 https://hackerone.com/reports/1328546
🔹 Severity: Critical | 💰 15,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #johnstone
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:09am (UTC)
👉 https://hackerone.com/reports/1328546
🔹 Severity: Critical | 💰 15,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #johnstone
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:09am (UTC)
🔥3
Add upto 10K rupees to a wallet by paying an arbitrary amount
👉 https://hackerone.com/reports/1408782
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:19pm (UTC)
👉 https://hackerone.com/reports/1408782
🔹 Severity: High | 💰 2,000 USD
🔹 Reported To: Zomato
🔹 Reported By: #ashoka_rao
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 12:19pm (UTC)
Deliviry Club Courier app (v. 3.9.25.0); Disclosure phone number of client.
👉 https://hackerone.com/reports/1382570
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #388
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 1:01pm (UTC)
👉 https://hackerone.com/reports/1382570
🔹 Severity: Medium | 💰 150 USD
🔹 Reported To: Mail.ru
🔹 Reported By: #388
🔹 State: 🟢 Resolved
🔹 Disclosed: February 23, 2022, 1:01pm (UTC)
Hackerone open redirect security alert bypass via view report as PDF
👉 https://hackerone.com/reports/1386277
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #iamr0000t
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:06pm (UTC)
👉 https://hackerone.com/reports/1386277
🔹 Severity: Low | 💰 500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #iamr0000t
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:06pm (UTC)
[Android] Directory traversal leading to stealing auth tokens
👉 https://hackerone.com/reports/1378889
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #danielllewellyn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:07pm (UTC)
👉 https://hackerone.com/reports/1378889
🔹 Severity: High | 💰 3,500 USD
🔹 Reported To: Slack
🔹 Reported By: #danielllewellyn
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 5:07pm (UTC)
[AWC-Pune] - User can download files deleted by Admin using shortcuts
👉 https://hackerone.com/reports/1463028
🔹 Severity: Medium | 💰 550 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #prateek_thakare
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 7:56pm (UTC)
👉 https://hackerone.com/reports/1463028
🔹 Severity: Medium | 💰 550 USD
🔹 Reported To: Lark Technologies
🔹 Reported By: #prateek_thakare
🔹 State: 🟢 Resolved
🔹 Disclosed: February 25, 2022, 7:56pm (UTC)