ID H1:38157
Type hackerone
Reporter bobrov
Modified 2016-10-24T22:23:03
Description
PoC (Chrome):
https://qiwi.com/main.action#/\google.com/
Уязвимый фрагмент кода:
https://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9
if(this.wc.hash&&Aa(this.wc.hash,"#/"))return this.wc.href=this.wc.hash.substring(1).replace(/^\/+/,"/"),this;
{"id": "H1:38157", "hash": "6e701b4459f4dcb20c9b613b7ff0a313", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "2016-10-24T22:23:03", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "lastseen": "2019-01-03T13:57:35", "history": [{"bulletin": {"id": "H1:38157", "hash": "0efdf0f4524ae4d78af26018751e17341718651ed6b2e4c2b79ccf5acd9bc26b", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "2016-10-24T22:23:03", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:07", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}}, "differentElements": ["h1team"], "edition": 5, "lastseen": "2018-04-19T17:34:07"}, {"bulletin": {"id": "H1:38157", "hash": "637bc8fb1ed1ab559ee25a8b01709c82c0ec3c88effdd82abfb6f1422596d912", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "2016-10-24T22:23:03", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "lastseen": "2017-08-29T13:11:24", "history": [], "viewCount": 4, "enchantments": {"score": {"modified": "2017-08-29T13:11:24", "value": 5.8}}, "objectVersion": "1.4", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}}, "differentElements": ["h1reporter"], "edition": 3, "lastseen": "2017-08-29T13:11:24"}, {"bulletin": {"id": "H1:38157", "hash": "3a5d7a06b3b40c5af49a62e19b8afc04a1b65cd9411a54b98624357bbd4e10ac", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "2016-10-24T22:23:03", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "lastseen": "2018-02-07T16:57:58", "history": [], "viewCount": 4, "enchantments": {"score": {"modified": "2018-02-07T16:57:58", "value": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C/"}}, "objectVersion": "1.4", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}}, "differentElements": ["h1team", "h1reporter"], "edition": 4, "lastseen": "2018-02-07T16:57:58"}, {"bulletin": {"id": "H1:38157", "hash": "01f6842a5cc85a5b433a6c318e7f976955e82e75b5fabaca14817f74fae5f24d", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "lastseen": "2017-08-22T11:09:37", "history": [], "viewCount": 4, "enchantments": {}, "objectVersion": "1.4", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}}, "differentElements": ["h1reporter"], "edition": 1, "lastseen": "2017-08-22T11:09:37"}, {"bulletin": {"id": "H1:38157", "hash": "e289a239ae7327dc85b20bec462851e7b337cb89eb67ec0765f3c36fe89f73a4", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "lastseen": "2017-08-28T23:19:22", "history": [], "viewCount": 4, "enchantments": {}, "objectVersion": "1.4", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}}, "differentElements": ["modified"], "edition": 2, "lastseen": "2017-08-28T23:19:22"}], "viewCount": 4, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2019-01-03T13:57:35"}, "dependencies": {"references": [], "modified": "2019-01-03T13:57:35"}, "vulnersScore": -0.4}, "objectVersion": "1.4", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/215/0dc8ee065391a85b30f99626551e0428c94cd079_medium.png?1546511500", "small": "https://profile-photos.hackerone-user-content.com/000/000/215/d5a1bcb2e6f3ccd8f872672686456117df6a74cf_small.png?1546511500"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}
{}
