Lucene search
K

942 matches found

Hacker One
Hacker One
added 2015/02/17 8:46 a.m.23 views

Slack: Team admin can add billing contacts

Billing contacts can only be added by team owners. However, team admin can escalate his privileges and add billing contacts. Steps to reproduce: 1.Log in as team admin 2.Send the below request using his token and it adds '[email protected]' to billing contacts. POST /api/team.billing.addContact...

2.1AI score
Exploits0
Hacker One
Hacker One
added 2015/02/05 2:57 p.m.21 views

Slack: Team admin can change unauthorized team setting (allow_message_deletion)

Team admin can escalate his privileges and change 'allowmessagedeletion' team setting, which can be changed only by a team owner. Steps to reproduce: 1. Log in as team admin. 2. Send the below request using his cookie & token and notice that it changes 'allowmessagedeletion' team setting to true...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2015/02/05 2:16 p.m.37 views

Slack: Team admin can change unauthorized team setting (require_at_for_mention)

Team admin can escalate his privileges and change 'requireatformention' team setting, which can be changed only by a team owner. Steps to reproduce: 1. Log in as team admin 2. Send the below request using his token and notice that it changes 'requireatformention' setting to true. POST...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2014/10/28 8:32 a.m.19 views

Slack: a stored xss in slack integration https://onerror.slack.com/services/import

location of the stored xss bug : https://hunter22.slack.com/admin/name in team name :put this payload :" stored xss executed here: https://hunter22.slack.com/services/import...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2014/09/03 12:52 a.m.18 views

Slack: HTTP Strict Transport Policy not enabled on newly made accounts

Hey As we know that the HSTS prevents MITM against SSL. I just checked the headers of the account i created localhost.slack.com SERVER RESPONSE: 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Content-Encoding: gzip Content-Type: text/html; charset="utf-8" Date: Wed, 03 Sep 201...

0.7AI score
Exploits0
Hacker One
Hacker One
added 2014/08/01 3:11 p.m.42 views

Slack: Content Spoofing all Integrations in https://team.slack.com/services/new/

Hello There, I've discovered 48+ content spoofing and confirmed all of your Integrations at https://team.slack.com/services/new/ is vulnerable to Content spoofing and exploitable to all users. Content Spoofing An attack technique used to trick a user into thinking that fake web site content is...

7AI score
Exploits0
Hacker One
Hacker One
added 2014/07/23 8:6 p.m.18 views

Slack: Content spoofing at Stripe Integrations

I have found Content Spoofing Vulnerable in Slack at Stripe Integrations vulnerability is exploitable to all users Proof of concept: https://asdasda.slack.com/services/2481499413?error=content%20spoofing%20! Regards, Jayson Zabate...

1.9AI score
Exploits0
seebug.org
seebug.org
added 2014/07/01 12:0 a.m.25 views

lftp <= 2.6.9 - Remote Stack based Overflow Exploit

No description provided by source. / lftp remote stack-based overflow exploit by Li0n7 voila fr Vulnerability discovered by Ulf Harnhammar Ulf.Harnhammar.9485 student uu se Lftp versions later than 2.6.10 are prone to a remotly exploitable stack-based overflow in trynetscapeproxy and trysquideplf...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2014/06/17 8:19 a.m.20 views

Slack: Open Redirect login account

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Reproduction Instructions go to...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2014/05/30 12:42 p.m.50 views

Slack: SSRF on https://whitehataudit.slack.com/account/photo

During post request to https://whitehataudit.slack.com/account/photo: POST /account/photo HTTP/1.1 Host: whitehataudit.slack.com User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.9; rv:29.0 Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8...

7AI score
Exploits0
Hacker One
Hacker One
added 2014/05/30 8:20 a.m.395 views

Slack: Remote file Inclusion - RFI in upload

Hello, Everysite has a RFI vulnerability. Everysite i.e .slack.com is having this vulnerability. Proof of concept / Steps to Reproduce : ================================= 1. Sign in to your account on slack eg. I signed in https://pran3hiva.slack.com 2. Now, go to 'Change photo'. i.e...

0.1AI score
Exploits0
Hacker One
Hacker One
added 2014/05/06 6:21 p.m.21 views

Slack: XSS in gist integration

Create a gist called: " 2. have gist integration enabled and put a link in a slack chat 3. Visit the 'raw' or 'new window' pages for this gist, for example: https://outpost.slack.com/files/zemnmez/F029MDY33/svgonloadalert1...

0.9AI score
Exploits0
Hacker One
Hacker One
added 2014/04/29 3:12 p.m.17 views

Slack: Stored XSS in slack.com (integrations)

Hi Slack, i'm going to report stored xss in slack integrations. Attack String Payload: http://jeroldcamacho.com/%5Ex1s1s/slack.com.txt Proof of Concept: here is the videoVideo. video: https://www.dropbox.com/s/3qfo5fdezn6ci2q/slack.com%20xss.avi Thanks, Jerold Camacho...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2014/04/25 4:26 p.m.15 views

Slack: Stored XSS Found

The type of XSS Vulnerability I found on your website is a stored xss. after i connect my github account and add a new integration then i chose my repositories then on the right side of that is a textfield that has a placeholder of Branches optional. then i put the following code on that textfiel...

Exploits0
Hacker One
Hacker One
added 2014/04/06 11:1 a.m.57 views

Slack: open redirect in https://slack.com

Navigate to Https://slack.com append "/link?url=url=http://bing.com" or enter any website of your choice with http:// vulnerable link https://slack.com/link?url=http://bing.com notice that user is redirected to bing.com without being validated or notified...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2014/04/06 7:24 a.m.32 views

Slack: Facebook Takeover using Slack using 302 from files.slack.com with access_token

Hi, I noticed that your Facebook application used in the "Import Photo" can be used to take over the Facebook account of the user being attacked. It's multiple issues in one: 1. You have a 302 redirect from a .slack.com domain. Hash-values will follow the redirect. 2. The Facebook application OAu...

0.2AI score
Exploits0
Hacker One
Hacker One
added 2014/03/23 7:51 p.m.17 views

Slack: Duplicate of #4550

Here's the duplicate ticket you asked for 4550 XSS in Slack Redirection...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2014/03/22 10:54 a.m.41 views

Slack: Stored XSS in Slackbot Direct Messages

Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide as input then Slackbot will cause the data go inside the anchor tag ... so...

0.3AI score
Exploits0
Hacker One
Hacker One
added 2014/03/22 6:15 a.m.44 views

Slack: Open Redirect in Slack

This link shall redirect to google.co.in: http://prakhar.slack.com/link?url=http%3A%2F%2Fgoogle.co.in Straight, open redirection! Thanks!...

Exploits0
Hacker One
Hacker One
added 2014/03/03 10:6 p.m.12 views

Slack: Content Spoofing

Here is an unvalidated insertion of an image, resulting to content spoofing https://awayon.slack.com/account/photo?url=http://www.thenewstribe.com/wp-content/uploads/2014/01/Syrian-Electronic-Army-hacked-CNN.jpg It displays any photo, what the attacker must know is just the "awayon" or the team...

0.8AI score
Exploits0
Rows per page
Query Builder