Lucene search
K

16 matches found

Hacker One
Hacker One
added 2020/07/25 7:0 p.m.9 views

GSA Bounty: Denial of service via cache poisoning on https://www.data.gov/

An attacker can persistently block access to any on https://www.data.gov/ by using cache poisoning with the h0st headers to cause 502 response code。 To replicate: load https://www.data.gov/ in your browser. look the burp , add ?xyzxyz=1 as cache buster , and add h0st headers h0st: wrtqvavjigwdvoq...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2020/02/18 11:3 a.m.49 views

GSA Bounty: open redirect in eb9f.pivcac.prod.login.gov

poc: https://eb9f.pivcac.prod.login.gov/?nonce=wI0UglN84A06Q4z4JnkZVc3i1V8%3D&redirecturi=https%3A%2F%2Fgoogle.com%23%40secure.login.gov%2Flogin%2Fpivcac visit this and will redirect to google.com Impact phishing...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2019/08/01 9:8 p.m.27 views

GSA Bounty: Stealing Users OAuth Tokens through redirect_uri parameter

I found that https://login.fr.cloud.gov/oauth/authorize has vulnerability by open redirect on oauth redirecturi which can lead to users oauth tokens being leaked to any malicious user. Step : 1, Clicked on link...

1.4AI score
Exploits0
Hacker One
Hacker One
added 2019/06/15 4:23 p.m.20 views

GSA Bounty: Blind Stored XSS In "Report a Problem" on www.data.gov/issue/

Step To Produce : 1. Open : https://www.data.gov/issue/ 2. fill "Issue Title" and "Description" With XSSHunter Payload 3. XSS Fired In https://labs.data.gov/crm/admin/report/662445 Impact Can steal admin cookies...

6.2AI score
Exploits0
Hacker One
Hacker One
added 2019/03/23 1:51 p.m.498 views

GSA Bounty: SSRF in Search.gov via ?url= parameter

Summary: https://search.usa.gov/helpdocs endpoint is vulnerable to SSRF via url parameter. The parameter is protected but can be bypassed using LF %0A. Steps To Reproduce: 1. Login to Search.gov and click help manual. 2. The following request was vulnerable. - Request GET...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2018/07/26 4:18 a.m.23 views

GSA Bounty: [idp.fr.cloud.gov] Open Redirect

Description: Open Redirect Domain: idp.fr.cloud.gov Steps To Reproduce: Open URL: https://idp.fr.cloud.gov//blackfan.ru/..;/css HTTP Response HTTP/1.1 302 Found ... Location: //blackfan.ru/..;/css/ ... Impact A web application accepts a user-controlled input that specifies a link to an external...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2018/05/31 11:13 a.m.29 views

GSA Bounty: Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone

Hey there, while signing for new api key, i have found two bugs that is unusual and make anyone to send crafted or customised email to someone. Bug 1: - low 1. Go to https://api.data.gov/signup/ 2. Enter first and last name , then enter email id and get api key. Bug: You can use the same email id...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2018/02/01 8:28 a.m.32 views

GSA Bounty: CI for [example.gov] can be logged in and accessible

When anyone searched a public search engine for inurl:example.gov where example.gov was one of the URLs in the TTS Bug Bounty scope, the search results included a CI/CD build results URL. When anyone visited that build results page, they were faced with a login page, but if they clicked "log in",...

7.2AI score
Exploits0
Hacker One
Hacker One
added 2017/12/21 3:13 p.m.13 views

GSA Bounty: Link poisoning on https://secure.login.gov/ login page

This link leads to the genuine secure.login.gov login page, in French: https://secure.login.gov/fr?host=portswigger.net However, if you try to change the language to English using the bar at the bottom you'll end up an external website of my choice. As users won't expect changing their language t...

1.1AI score
Exploits0
Hacker One
Hacker One
added 2017/08/28 4:40 p.m.20 views

GSA Bounty: 2FA bypass - confirmation tokens don't expire

Hi there, Because of the limitation of the site, accounts may be locked down for 10 minutes. I found 2 ways to bypass this lock period. First one with the confirmation mail that we get when we sign on. If we get the token this way below, we can change account password and bypass the lock period a...

7AI score
Exploits0
Hacker One
Hacker One
added 2017/08/28 10:48 a.m.19 views

GSA Bounty: Content injection via URL parameter.

Hello, The following URL is vulnerable to content & code injection. https://labs.data.gov/dashboard/validate...

1.3AI score
Exploits0
Hacker One
Hacker One
added 2017/08/26 6:18 p.m.19 views

GSA Bounty: Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host

We endorse sp1d3rs's summary! The PR fixing this ticket is here: https://github.com/18F/federalist/pull/1157 Thanks to the 18F team for the great experience, fast fix, and the bounty! The report details i requested the limited disclosure due to lot of sensitive info in the attachments and report...

Exploits0
Hacker One
Hacker One
added 2017/08/26 9:22 a.m.27 views

GSA Bounty: federalist.18f.gov vulnerable to Sweet32 attack

The researcher noted that federalist.18f.gov allows use of the TLSRSAWITH3DESEDECBCSHA cipher, which is now marked as "weak" in SSL labs because of risks of MitM attacks given this vulnerability: https://sweet32.info/, which requires monitoring of a long lived HTTPS connection. We inherit this...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2017/08/25 1:33 p.m.78 views

GSA Bounty: HTML injection (with XSS possible) on the https://www.data.gov/issue/ using media_url attribute

Description Hello. I discovered Cross-Site scripting issue on the https://www.data.gov/issue/ endpoint. Akamai WAF and bypass At the srart i was not able to do the XSS due to Akamai Waf XSS filters, but later, i was able to bypass it. POC HTML injection...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2017/08/23 6:10 p.m.220 views

GSA Bounty: Information disclosure (system username) in the x-amz-meta-s3cmd-attrs response header on federation.data.gov

Description Hi. I just noticed, that you are extended the scope for the bounty program. I looked to the first resource - https://federation.data.gov/ I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username:...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2017/07/13 2:36 p.m.27 views

GSA Bounty: Race condition on the Federalist API endpoints can lead to the Denial of Service attack

Description Hello. I discovered that the Federalist API doesn't have rate limiting in place, and executes any amount of request to the endpoint in parallel mode. The impact Since you are using the cloud, and i can't test the production environment, impact is theoretical in this case - it can be a...

0.4AI score
Exploits0
Rows per page
Query Builder