ID H1:38157
Type hackerone
Reporter bobrov
Modified 2016-10-24T22:23:03
Description
PoC (Chrome):
https://qiwi.com/main.action#/\google.com/
Уязвимый фрагмент кода:
https://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9
if(this.wc.hash&&Aa(this.wc.hash,"#/"))return this.wc.href=this.wc.hash.substring(1).replace(/^\/+/,"/"),this;
{"id": "H1:38157", "bulletinFamily": "bugbounty", "title": "QIWI: [qiwi.com] Open Redirect", "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "published": "2014-12-03T20:25:50", "modified": "2016-10-24T22:23:03", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/38157", "reporter": "bobrov", "references": [], "cvelist": [], "type": "hackerone", "lastseen": "2019-01-03T13:57:35", "history": [{"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "edition": 5, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}, "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "hash": "0efdf0f4524ae4d78af26018751e17341718651ed6b2e4c2b79ccf5acd9bc26b", "hashmap": [{"hash": "465bab16b476bdb94ca516c772e22450", "key": "reporter"}, {"hash": "ee99f0d96027721a03bc10baaa149b7d", "key": "href"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "79b883b00937f7f97d41c76bd935ba1f", "key": "modified"}, {"hash": "6c8d2160c89877034badc4456ad23ea3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "3bbe7035151b454d2103e1f601aa3169", "key": "h1team"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ba7c39a8da9cb6c22f645e31d83c3b1a", "key": "title"}, {"hash": "4c0b24a2b68f6d287e4d954cd222f624", "key": "h1reporter"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "9cd35673fbbaac088c68dbe74bd6f9b7", "key": "description"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/38157", "id": "H1:38157", "lastseen": "2018-04-19T17:34:07", "modified": "2016-10-24T22:23:03", "objectVersion": "1.3", "published": "2014-12-03T20:25:50", "references": [], "reporter": "bobrov", "title": "QIWI: [qiwi.com] Open Redirect", "type": "hackerone", "viewCount": 4}, "differentElements": ["h1team"], "edition": 5, "lastseen": "2018-04-19T17:34:07"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "edition": 3, "enchantments": {"score": {"modified": "2017-08-29T13:11:24", "value": 5.8}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}, "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "hash": "637bc8fb1ed1ab559ee25a8b01709c82c0ec3c88effdd82abfb6f1422596d912", "hashmap": [{"hash": "465bab16b476bdb94ca516c772e22450", "key": "reporter"}, {"hash": "ee99f0d96027721a03bc10baaa149b7d", "key": "href"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "79b883b00937f7f97d41c76bd935ba1f", "key": "modified"}, {"hash": "6c8d2160c89877034badc4456ad23ea3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "cdfab2d1b4621102bca6bfbe84056605", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ba7c39a8da9cb6c22f645e31d83c3b1a", "key": "title"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "9cd35673fbbaac088c68dbe74bd6f9b7", "key": "description"}, {"hash": "972aa51284f89e6723554d31f7a748c8", "key": "h1reporter"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/38157", "id": "H1:38157", "lastseen": "2017-08-29T13:11:24", "modified": "2016-10-24T22:23:03", "objectVersion": "1.3", "published": "2014-12-03T20:25:50", "references": [], "reporter": "bobrov", "title": "QIWI: [qiwi.com] Open Redirect", "type": "hackerone", "viewCount": 4}, "differentElements": ["h1reporter"], "edition": 3, "lastseen": "2017-08-29T13:11:24"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "edition": 4, "enchantments": {"score": {"modified": "2018-02-07T16:57:58", "value": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C/"}}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}, "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "hash": "3a5d7a06b3b40c5af49a62e19b8afc04a1b65cd9411a54b98624357bbd4e10ac", "hashmap": [{"hash": "465bab16b476bdb94ca516c772e22450", "key": "reporter"}, {"hash": "ee99f0d96027721a03bc10baaa149b7d", "key": "href"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "79b883b00937f7f97d41c76bd935ba1f", "key": "modified"}, {"hash": "6c8d2160c89877034badc4456ad23ea3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "cdfab2d1b4621102bca6bfbe84056605", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "93a84667cf4d5f0dd1b028d90789a6cf", "key": "h1reporter"}, {"hash": "ba7c39a8da9cb6c22f645e31d83c3b1a", "key": "title"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "9cd35673fbbaac088c68dbe74bd6f9b7", "key": "description"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/38157", "id": "H1:38157", "lastseen": "2018-02-07T16:57:58", "modified": "2016-10-24T22:23:03", "objectVersion": "1.3", "published": "2014-12-03T20:25:50", "references": [], "reporter": "bobrov", "title": "QIWI: [qiwi.com] Open Redirect", "type": "hackerone", "viewCount": 4}, "differentElements": ["h1team", "h1reporter"], "edition": 4, "lastseen": "2018-02-07T16:57:58"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "edition": 1, "enchantments": {}, "h1reporter": {"disabled": false, "hacker_mediation": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}, "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "hash": "01f6842a5cc85a5b433a6c318e7f976955e82e75b5fabaca14817f74fae5f24d", "hashmap": [{"hash": "465bab16b476bdb94ca516c772e22450", "key": "reporter"}, {"hash": "ee99f0d96027721a03bc10baaa149b7d", "key": "href"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "6c8d2160c89877034badc4456ad23ea3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "cdfab2d1b4621102bca6bfbe84056605", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ba7c39a8da9cb6c22f645e31d83c3b1a", "key": "title"}, {"hash": "2e5e8f033f1986e8658ba37ae96aae4b", "key": "h1reporter"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "9cd35673fbbaac088c68dbe74bd6f9b7", "key": "description"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/38157", "id": "H1:38157", "lastseen": "2017-08-22T11:09:37", "modified": "1970-01-01T00:00:00", "objectVersion": "1.3", "published": "2014-12-03T20:25:50", "references": [], "reporter": "bobrov", "title": "QIWI: [qiwi.com] Open Redirect", "type": "hackerone", "viewCount": 4}, "differentElements": ["h1reporter"], "edition": 1, "lastseen": "2017-08-22T11:09:37"}, {"bulletin": {"bounty": 150.0, "bountyState": "resolved", "bulletinFamily": "bugbounty", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "PoC (Chrome):\r\nhttps://qiwi.com/main.action#/\\google.com/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u0439 \u0444\u0440\u0430\u0433\u043c\u0435\u043d\u0442 \u043a\u043e\u0434\u0430:\r\nhttps://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9\r\nif(this.wc.hash&&Aa(this.wc.hash,\"#/\"))return this.wc.href=this.wc.hash.substring(1).replace(/^\\/+/,\"/\"),this;", "edition": 2, "enchantments": {}, "h1reporter": {"disabled": false, "hacker_mediation": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}, "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/215/8e2cf926d9711c2f3fde4f4a97009c320375ced0_medium.png?1415704940", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/215/bb4d4fcfc29579c7e90c05bc75e6486f99b382ff_small.png?1415704940"}, "url": "https://hackerone.com/qiwi"}, "hash": "e289a239ae7327dc85b20bec462851e7b337cb89eb67ec0765f3c36fe89f73a4", "hashmap": [{"hash": "465bab16b476bdb94ca516c772e22450", "key": "reporter"}, {"hash": "ee99f0d96027721a03bc10baaa149b7d", "key": "href"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "6c8d2160c89877034badc4456ad23ea3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "cdfab2d1b4621102bca6bfbe84056605", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ba7c39a8da9cb6c22f645e31d83c3b1a", "key": "title"}, {"hash": "e77f848ebbae19a99eee74e4d5246ce5", "key": "bounty"}, {"hash": "9cd35673fbbaac088c68dbe74bd6f9b7", "key": "description"}, {"hash": "972aa51284f89e6723554d31f7a748c8", "key": "h1reporter"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "history": [], "href": "https://hackerone.com/reports/38157", "id": "H1:38157", "lastseen": "2017-08-28T23:19:22", "modified": "1970-01-01T00:00:00", "objectVersion": "1.3", "published": "2014-12-03T20:25:50", "references": [], "reporter": "bobrov", "title": "QIWI: [qiwi.com] Open Redirect", "type": "hackerone", "viewCount": 4}, "differentElements": ["modified"], "edition": 2, "lastseen": "2017-08-28T23:19:22"}], "edition": 6, "hashmap": [{"key": "bounty", "hash": "e77f848ebbae19a99eee74e4d5246ce5"}, {"key": "bountyState", "hash": "fafdd4fbb3fee9a56e17d43689f48d18"}, {"key": "bulletinFamily", "hash": "05ada9a7482161942c43eadd60b0440c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "9cd35673fbbaac088c68dbe74bd6f9b7"}, {"key": "h1reporter", "hash": "4c0b24a2b68f6d287e4d954cd222f624"}, {"key": "h1team", "hash": "69f706b1d8eef40bc4b4bc465a868221"}, {"key": "href", "hash": "ee99f0d96027721a03bc10baaa149b7d"}, {"key": "modified", "hash": "79b883b00937f7f97d41c76bd935ba1f"}, {"key": "published", "hash": "6c8d2160c89877034badc4456ad23ea3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "465bab16b476bdb94ca516c772e22450"}, {"key": "title", "hash": "ba7c39a8da9cb6c22f645e31d83c3b1a"}, {"key": "type", "hash": "ec83c92514064cbcd1d6878e7bc2471a"}], "hash": "b4dbbb49aa1f4dc75d6cb151349cbfb067e573e8cf2a3d5870ea04f666a5fc79", "viewCount": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2019-01-03T13:57:35"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "bounty": 150.0, "bountyState": "resolved", "h1team": {"handle": "qiwi", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/000/215/0dc8ee065391a85b30f99626551e0428c94cd079_medium.png?1546511500", "small": "https://profile-photos.hackerone-user-content.com/000/000/215/d5a1bcb2e6f3ccd8f872672686456117df6a74cf_small.png?1546511500"}, "url": "https://hackerone.com/qiwi"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/002/205/492265dcd1cba57abf1401bf827738afc3565170_small.jpeg?1389674804"}, "url": "/bobrov", "username": "bobrov"}}
{}
