RBKmoney: SUBDOMAIN TAKEOVER [http://dev.rbk.money/]

The DNS record of dev.rbk.money pointed to the Github, but the domain was not used in any Github account. So it was possible to bind it to any repository...

RBKmoney: DOM-based Cross-Site Scripting in redirect url checkout

The application was exposed to the XSS vulnerability. The code was injected through the "javascript:" URL schema. If the invoice was successfully paid, the code was executed...

RBKmoney: Text manipulation in https://checkout.rbk.money

Phishing / social engineering via text manipulation on html form labels...

RBKmoney: Open Redirection on auth.rbk.money

An open redirect vulnerability was found in KeyCloak. Find writeup soon in my website ; Edit , Write is here : http://abartandhakal.com.np/main/2018/01/27/open-redirection-on-rbk-money/...

RBKmoney: Information Disclosure - Composer.lock

Non-sensitive information disclosure via composer.lock...

RBKmoney: IDOR in merchant.rbmonkey.com allows deleting eShops of another user

Website merchant.rbmonkey.com was exposed to an insecure direct object reference vulnerability IDOR which may allow an attacker to deleting shop objects of another user...