Uber: udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint

Summary The udi-id request parameter at the https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js mobile endpoint is copied into a javascript string encapsulated in double quotation marks, resulting in SSL-protected payloads being reflected unmodified in the application's response. The script-src whitelis...

Uber: Header Injection

Hi Uber , I would like to report an issue on the domain http://m.uber.com Upon testing some back and forth requests to this domain , I figured out that it is possible to inject arbitrary content into the Headers of the requests . Upon increasing the size of the payload in the header , it leads to...

Uber: Stored self-XSS at m.uber.com

There is a stored self-XSS vulnerability at m.uber.com in displaying the uber invite code. If the user sets the invite code at alertdocument.domain value using the main personal area at the uber.com and then signs into the m.uber.com the XSS is fired. Possible other user exploitation case can be...

Uber: Open Redirect in m.uber.com

Reproduction Steps: https://m.uber.com//youtube.com/%2F.. HTTP Response: HTTP/1.1 303 See Other ... Location: //youtube.com/%2F../...