Lob: Blind SSRF/XSPA on dashboard.lob.com + blind code injection

Summary: I was just playing around with the website and I found blind XSPA on time of creating Templets on dashboard.lob.com. Steps To Reproduce: 1. Go to https://dashboard.lob.com//templates 1. Now click on create templet and insert this code in HTML : "'" / and click on create. 1. Now click on...

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_MAKERNOTE

This bug is present in exifprocessIFDinMAKERNOTE method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77563 PHP version : 7.1.26 CVE-ID : 2019-9638 Impact Uninitialized...

GSA Bounty: Unclaimed Github Repository Takeover on https://www.data.gov/labs

Hello Security Team, I found a Vulnerability in your website where in one of your domain https://www.data.gov/labs there was Description about Simple API in which two links were pointing to https://simple-api.github.io/api-offices/ but after visiting this URL i got an 404 error where it shown lik...

Nextcloud: [Reflected XSS] In Request URL

In index.php file on 1765 we can see XSS: " Because NextCloud allow links like: '/index.php/ANYCONTENT' If we will do request like: POST /updater/index.php/h"alert1; HTTP/1.1 Host: vulns.local Content-Type: application/x-www-form-urlencoded Content-Length: 33 updater-secret-input=OURSECRET We wil...

Mail.ru: FLV FILE FORMAT (AUDIOSES.DLL) Out of Bounds

Out-of-bounds read in ICQ descktop on FLV format parsing could lead to application crash...

Zomato: Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone

Description The title may seem a bit confusing but I will try to make it as simple as possible. Let us dive into it. When we login to zomato.com and click on Order Food, We are redirected to the endpoint like /mumbai/order-food-online?deliverysubzone=10159 where mumbai is the city and 10159 is th...

50m-ctf: $50 million CTF Writeup

Summary: For a brief overview of the challenge you can take a look at the following image: F451370 Below I will detail each step that I took to solve the CTF, moreover all the bad assumptions that led me to a dead end in some cases. Twitter The CTF begins with this tweet: F451371 What is this...

50m-ctf: Weak credentials, Blind SQLi, Timing attack, that leads to web admin access

Summary: Discovery of the application: The h1Thermostat application was discovered by extracting the bit.do URL from the image at https://pbs.twimg.com/media/D0XoThpW0AE2r8S.png:large. The URL https://bit.do/h1therm then led to a Google Drive where the Android application file h1thermostat.apk...

Omise: Failure to Invalid Session after Password Change

While conducting my researching I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroys the other sessions which are logged in with old passwords. Steps to Reproduce: ---------------------- Video PoC attached Step By...

Pornhub: CRITICAL ISSUE : Leak of all accounts mail login md5 pass and more

The researcher has found a critical issue on a specific endpoint allowing him to leak usernames and hashed passwords. I reported here a critical issue on a specific endpoint allowing to collect easily all tube8 accounts sensitive information, including email and password. The report could be easi...

HackerOne: Deprecated Hacker101 coursework repository mentions Heroku App that is susceptible to takeover

Hi , I'm sure this repo on GitHub https://github.com/Hacker0x01 belong to Hackerone,inc. I've found that your docs on it mention a Heroku app breaker101.herokuapp.com which is no longer work and I could takeover it via HeroKu. Suggested Fix : Remove this app name from your docs or I can remove it...

MariaDB: smtp service vulnerable to POODLE SSLv3

One of our package servers had an old smtpd service linked with openssl 1.0.1i, which uses nondeterministic CBC padding, making it easy for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. The service has been disabled for the internet, as ...

50m-ctf: 0xc0ffee's 50M-CTF Submission

Introduction This CTF was extremely fun and truly original. It covered different kinds of very interesting challenges where completing one challenge led to another one, like some sort of quest with various levels. Thank you Cody and HackerOne for giving 5 hackers the opportunity to go to Vegas,...

Chaturbate: Unrestricted POST request size on /customer_support/information_form/ endpoint

The hacker found that a form on the billing site had a high post size limit that could cause increased load. This was lowered to a reasonable amount. This had no effect on any stored data...

GSA Bounty: SSRF in Search.gov via ?url= parameter

Summary: https://search.usa.gov/helpdocs endpoint is vulnerable to SSRF via url parameter. The parameter is protected but can be bypassed using LF %0A. Steps To Reproduce: 1. Login to Search.gov and click help manual. 2. The following request was vulnerable. - Request GET...

50m-ctf: Several vulnerabilities lead to Remote Code Execution and Arbitraty File Read on multiple servers

Summary: - Tweeted image contained URL https://bit.do/h1therm to download an APK - APK API 35.243.186.41 is vulnerable to SQL Injection on username parameter and leaked location of server 104.196.12.98 through the devices table - Login form on 104.196.12.98 is vulnerable to timing attack on hash...

Mail.ru: touch.mail.ru / e.mail.ru memory content disclosure

An invalid handling of NUL byte in API request led to disclosure of HTTP server memory region. The root cause of this bug is tracked to nginx+openresty. An advisory is below: Insecure implementation of nginx rewrite / OpenResty ngx.req.seturi + memory content leak in nginx. OpenResty is LUA engin...

Semmle: All Burp Suite Scan report

Summary: 1. Detected Deserialization RCE: Jackson 1.1. https://lgtm-com.pentesting.semmle.net/blog/ lgtmshortsession cookie 1.2. https://lgtm-com.pentesting.semmle.net/internalapi/v0.2/getSuggestedProjects apiVersion parameter 2. Session token in URL 3. CSP: Inline scripts can be inserted 3.1...

Valve: Unchecked weapon id in WeaponList message parser on client leads to RCE

Let's look at WeaponList message parser code in the HLSDK: cpp int CHudAmmo::MsgFuncWeaponListconst char pszName, int iSize, void pbuf BEGINREAD pbuf, iSize ; WEAPON Weapon; strcpy Weapon.szName, READSTRING ; Weapon.iAmmoType = intREADCHAR; Weapon.iMax1 = READBYTE; if Weapon.iMax1 == 255...

Phabricator: Request vulnerable to CSRF

There are 4 instances of this issue: + /dashboard/panel/render/12/ + /dashboard/panel/render/22/ + /dashboard/panel/render/4/ + /dashboard/panel/render/6/ Issue background == Cross-site Request Forgery CSRF is an attack which forces an end user to execute unwanted actions on a web application to...

Phabricator: Issue:Form does not contain an anti-CSRF token

============================= Form does not contain an anti-CSRF token ============================= -------------------------------------------------------------------------------------------------------------------- There are 15 instances of this issue == / /Z1336 /applications/ /auth/start/...

Semmle: CSP : Inline scripts can be inserted

Vulnerable URL:- https://lgtm-com.pentesting.semmle.net/ Summery Content Security Policy CSP is a client-side security model which allows developers to specify where different types of resources should be loaded, executed and embedded from. With CSP you can instruct the browser only to load...

Mail.ru: Open Selenoid instance at 188.93.63.186 leads to LFR/SSRF.

Externally accessible Selenoid instance in Mail.Ru Games network was vulnerable to LFR and SSRF via URI injection...

Zomato: [api.zomato.com] Able to manipulate order amount

@pasw discovered an interesting find where he was able to manipulate the order amount. This was a creative find and we rewarded @pasw with double bounty + promotional bonus of $2,500...

Ubiquiti Inc.: Login as root without password on EdgeSwitchX

In EdgeSwitch X v1.1.0 and prior, an unauthenticated user can use the "local port forwarding" and "dynamic port forwarding" SOCKS proxy functionalities. Remote attackers without credentials can exploit this bug to access local services or forward traffic through the device if SSH is enabled in th...

Razer US: Razer Synapse 3 Chromasdk.io Root CA with Private Key Re-use

The researcher found that a root certificate was preinstalled with the Chroma SDK with a exposed private key. He assisted us in testing a fix. This was integrated into the codebase in May and published at the end of June. We appreciate his assistance working with us on this issue. Razer Synapse 3...

Capital One: Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over th...

Capital One: Apache server-status enabled

Apache /server-status displays information about your Apache status. If you are not using this feature, disable it. GET /server-status HTTP/1.1 Connection: keep-alive Accept: / Accept-Encoding: gzip,deflate Host: proxy-copp.capitalone.com User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64...

New Relic: CSRF at acknowledging an incident

Hey team, I have discovered that the incident acknowledge action is made using GET request, so it is vulnerable to CSRF attack. Steps to reproduce 1. Sign into the Alerts app as some user having permission to acknowledge the incidents 2. Make sure there is at least one inacknowledged incident 3...

Revive Adserver: Deserialization of Untrusted Data in www/delivery/adxmlrpc.php

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. Impact Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP...

QIWI: DOM XSS triggered in secure support desk

Summary Due to insufficient input sanitization, an attacker can send a crafted WebSocket message that will result in arbitrary code execution in the chat support backend, giving an attacker control to support tickets and client information. Technical details The vulnerability exists in line 2544 ...

50m-ctf: Writeup Hackerone 50M CTF

Writeup Hackerone 50m CTF First stage of this ctf we need to solve an hidden file from an image which posted by HackerOne at twitter https://twitter.com/hacker0x01/status/1100543680383832065?lang=en. I tried to run bunch of steganography tools and i found something with zteg the exact command is...

HackerOne: Moving a report to a different program doesn't reassign the Custom Field Values

When a report is moved to a different program, all associated objects are either removed or copied to the new program. During an internal security review of the Custom Fields feature it was observed that this isn't the case for Custom Field Values. This means that even after a report has moved, t...

Semmle: Unprotected Api EndPoints

Summary: I am able to automate the get/post requests of the following api end-points with a python script which can lead to heavy load to server resulting in dos attack or buffer overflow. /internalapi/v0.2/getSuggestedProjects /internalapi/v0.2/getLanguages /internalapi/v0.2/getLoggedInUser...

Node.js third-party modules: [listening-processes] Command Injection

I would like to report Command Injection in listening-processes It allows an attacker to execute arbitrary commands. Module module name: listening-processes version: 1.2.0 npm page: https://www.npmjs.com/package/listening-processes Module Description A simple NPM module for retrieving pertinent...

Zomato: credentials leakage in public lead to view dev websites

Description: Hello Zomato team : So after I found a new OSINT website ████ which fetch results from Pastebin website, I searched for "zdev.net" and I got this interesting result ██████████ F443315 I logged in https://gazal.zdev.net/test.php after I decoded Base64 Authorisation ███ F443316 I tried...

GitLab: All functions that allow users to specify color code are vulnerable to ReDoS

Summary: Invalid color code leads to DoS. Description: GitLab has some functions that allow users to specify color code. e.g.: Labels/Broadcast Messages All those functions are vulnerable to ReDoS. It seems that there is a problem with the regex in app\validators\colorvalidator.rb to validate a...

Monero: Potential use-after-free due to struct array_entry_t lacking an explicit copy constructor

struct arrayentryt in contrib/epee/include/storages/portablestoragebase.h does not implement a copy constructor. Wherever there is code that attempts to copy-construct arrayentryt, the compiler inserts a copy constructor for arrayentryt that merely copies over the values. The struct possesses an...

InnoGames: Unprivileged alliance member is able to recruit new members to his alliance and accepting them (xs1.grepolis.com)

Alliances are a very integral part of Grepolis. Attacks are planned and strategies are forged. All of this in secret from the other players. A broken access control allowed any member of the alliance to invite "external" players, even though the alliance invitations were closed/invite-only. This...

Zomato: [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s)

Summary: Get free zomato gold membership using zomato iOS app. Description: add more details about this vulnerability 1 Login to the zomato iOS application. 2 Select zomato gold from the home screen. 3 Depending on your location, you will see different gold pack options. 4 Select any gold pack. 5...

Ubiquiti Inc.: Privilege-0 to Root Privilege Escalation on EdgeSwitch

In EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root...

Internet Bug Bounty: [CVE-2018-18313] regcomp: heap-buffer-overflow read in S_grok_bslash_N

See: https://rt.perl.org/Public/Bug/Display.html?id=133192 CVE ID: CVE-2018-18313 Impact Potential information leakex: secret variables or source codes...

Internet Bug Bounty: [CVE-2018-18312] regcomp: heap-buffer-overflow write / reg_node overrun

See: https://rt.perl.org/Public/Bug/Display.html?id=133423 CVE ID: CVE-2018-18312 Impact Potential RCE...

HackerOne: IDOR in Report CSV export discloses the IDs of Custom Field Attributes of Programs

Specifying a report ID of another team when requesting a CSV export leaks the ID of the Custom Field Attribute in the CSV header. Request POST /reports/export HTTP/1.1 Host: localhost:8080 ... ----------868143055 Content-Disposition: form-data; name="reportids" 17 ----------868143055...

Rockstar Games: Image injection /br/games/info may lead to phishing attacks or FB OAuth theft.

In this report, the researcher identified an attack chain that could result in an attacker stealing sensitive user tokens such as Oauth tokens via full URL inclusion in the Referer header. One step of this attack involved an image injection exploit on localized versions of the games/info section ...

Internet Bug Bounty: Uninitialized read in exif_process_IFD_in_TIFF

This bug can be reproduced only in 32 bit PHP builds. This bug is present in exifprocessIFDinTIFF method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77509 PHP version ...

PayPal: Bypass for #488147 enables stored XSS on https://paypal.com/signin again

Due to a configuration in frontend, caching servers, it was possible for a researcher to use request smuggling to convert a page request into a cached redirect. If the cached redirect were accessed by a legitimate user, an attacker's content would be rendered instead of the requested page. While...

Node.js third-party modules: [serve] Path Traversal

I would like to report path traversal vulnerability in serve module It allows an attacker to read system files via path traversal vulnerability Module module name: serve version: 10.1.2 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site...

Internet Bug Bounty: Invalid Read on exif_process_SOFn

This bug is present in exifscanthumbnail method of ext/exif/exif.c file. Detailed description and steps to reproduce for this bug is present in bug report submitted to php.net. Bug Report : https://bugs.php.net/bug.php?id=77540 PHP version : 7.1.26 CVE-ID : 2019-9640 Impact This bug may allow an...

WordPress: Potential unprivileged Stored XSS through wp_targeted_link_rel

The user description is vulnerable to a Stored XSS via an attribute injection. At fault is the wptargetedlinkrel filter that parses attributes regardless of their position. function wptargetedlinkrel $text // Don't run more expensive regex if no links with targets. if stripos $text, 'target' !==...