Uber: Stored XSS on developer.uber.com via admin account compromise

Hi, Anyone can add themselves as an administrator on the readme.io uber project that powers developer.uber.com/documentation To replicate this, first fetch https://uber.readme.io/inactiveand and grab Uber's project ID from the source: 578cd33dc27ce20e004e397b Then, using this ID, create a normal...

Uber: Stored XSS in developer.uber.com

An attacker can make a series of requests to https://uber.readme.io/ that will result in permanent defacement/stored XSS of all the documentation pages on https://developer.uber.com/ I'm not entirely sure if this is in scope, but it could definitely have a major impact on developer.uber.com so I...

Uber: CRLF Injection in developer.uber.com

The website located at https://developer.uber.com/ suffers from CRLF injection. This allows me to inject JavaScript, HTML as well as arbitrary HTTP Headers. Besides this, I can change the HTTP Response code as well, to display whatever I want in the victim's browser. The vulnerability resides in...