HackerOne: Disclosing a private program in an external link if program is paused

Summary: Hi team Description: If the program is paused that we will not be able to send reports to this program and if we try to directly contact the link https://hackerone.com/externalprogrammpaused/reports/new we will be returned to the main page https://hackerone.com/externalprogrammpaused Ste...

8x8: [CRITICAL] Remote code execution on http://axa.dxi.eu

The application allowed for upload of a file with PHP extension that when loaded on the server would evaluate embedded php source...

Mail.ru: Найден build.sh в webagent.mail.ru

Source code of build script for web application was available for download. It could leak some non-sensitive information on internal build processes and configurations...

8x8: Stored XSS agent_status

The functionality to set a user's status within the ContactNow application did not perform sufficient encoding when displayed to other user's of a given organization...

8x8: Bypass Email activation on http://axa.dxi.eu

The account activation link utilized by the ContactNow application utilized a token in the existing session for validation. Knowing this token it was possible to bypass the activation step...

Chaturbate: Unrestricted POST request size on roomlogin endpoint

POST requests to endpoint /roomlogin/ are not limited in size. While the main website login endpoint correctly limits the size of request, this endpoint does not. This can be a mean to perform a DOS attack. Steps To Reproduce: 1. has a password-protected stream. 2. Send a large POST request to...

8x8: Post based XSS (Cross site scripting) on https://apimgr.8x8.com

The legacy API endpoint utilized an outdated version of WSO2 Data Analytics Server that contained a known XSS vulnerability...

Chaturbate: No rate limiting in starting up a bot.

hi security team, I was able to start up a bot numerous times. 1. Goto https://chaturbate.com/b/username 2. Choose a bot and capture the request. 3. Send to intruder and repeat the step numerous times. 4. I did this 196times 5.I was able to activate a bot numerous times 6. My room was flooded wit...

Chaturbate: No rate limiting in changing room subject.

Before i shed more light on this: I noticed i can create over 200 apps but i don't really know how valid that was. I want to report that there is no rate limiting in changing room subject. Attacker scenrio: 1. Navigate to https://chaturbate.com/b/your username 2. Try to create a room subject and...

Cloudflare: DOM XSS on 1.1.1.1(one.one.one.one)

After discussion with Cloudflare on twitter I'm reporting this here. There is a DOM XSS on 1.1.1.1 or one.one.one.one site, it seems like the sink is XMLHR.open,Taint,,, and the source is location.search The PoC url's are: https://1.1.1.1/?ApiLocation=//localdomain.pw...

Shopify: H1514 Lack of access control on edit packing slip template

Summary: An admin is able to edit the Edit packing slip template at /admin/settings/packingsliptemplate. However, a staff user with only "Home" permission and none other can view and also make edits to this template. Description: The Edit packing slip feature exists so an admin user can customize...

Monero: Locked_Transfer functional burning

Summary: Using the lockedtransfer command in the monero-wallet-cli users can send outputs with high lock times like 1,000,000 blocks. A vendor will accept these transactions with no warnings and credit a user balance. The user can now withdrawal or sell this balance and the vendor is left with...

Chaturbate: Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com

Very low-quality reports, such as those which only contain automated output, will be rejected. Summary Hi, i was able to discover a number of instances on chatws25.stream.highwebmedia.com were the application accepts an arbitrarily supplied origin. The application implements an HTML5 cross-origin...

HackerOne: Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session

Hi Team, Summary: I have found an Insufficient Session Expiration on implementation of the new Revoke user session feature of HackerOne here: https://hackerone.com/settings/sessions Description: The new REVOKE session feature will destroy the session of the selected device, that means any request...

Starbucks: Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication.

radoooz discovered that a small number of SMB servers in Thailand that hosted CCTV footage and images were accessible without requiring authentication. @radoooz — thank you for reporting this vulnerability and confirming the resolution...

Shopify: Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance.

Hi, I am reporting this because it looks like a authorization bug in GraphQL. A staff member having no explicit permissions on a Shopify Store may be able to retrieve the Current balances in all currencies for the account for Shopify Payments. Steps 1. STAFF account is created and assigned NO...

Shopify: H1514 Removed Staff members who had "Apps" permission can still modify flow app connections

Summary: It's been found that removed staff members who had "Apps" permission can still modify flow app connection settings due to improper authorization. Description: Flow app https://apps.shopify.com/flow allows users to connect their Google Sheets, Trello and Asana accounts to their flow...

Shopify: H1514 CSRF in Domain transfer allows adding your domain to other user's account

Summary: Shopify allows users to buy their own domain from the Shopify system. One of the facility on this is that if you buy the domain through Shopify, you can do an inter-store transfers. This means: You can only transfer your domain to a Shopify store owned by you. It can take up to 24 hours ...

Pornhub: Single User DOS by Poisoning Cookie via Get Parameter

The researcher was able to exploit a cookie poisoning attack against other users, by sending malicious links to the victims, as a result, the victims were no longer be able to access www.pornhubpremium.com...

Chaturbate: Missing Rate Limitation at /apps/upload_app/

Summary I discovered that one is able to create unlimited number of apps via /apps/uploadapp/ . PS: I feel this is within the scope of your program and you want to know about it. If otherwise, I'll be happy to close this. Steps To Reproduce: 1. Login and go to https://chaturbate.com/apps/uploadap...

Chaturbate: CSRF on change video thumbnail at https://chaturbate.com

Hi I noticed Changing video thumbnail option have the workflow with GET request and there is lack of csrf token on changing video thumbnail option,so if attacker somehow able to obtain the thumbnailid of victim's video then it can help attacker to inducing victim to change video thumbnail...

Chaturbate: A 10GB file is reachable

Summary A file is 10GB is accessible on the following server: http://edge193.stream.highwebmedia.com:8080/. Steps To Reproduce: 1. Open the following link: http://edge193.stream.highwebmedia.com:8080/download Additional notes: I tried to download the file and analyze it, but after 20 seconds the...

Monero: DoS for remote nodes using Slow Loris attack

Summary: Using the slow loris attack it's possible to make the the daemon unresponsive to all RPC requests without at least a restart. Description: I used this node.js application https://www.npmjs.com/package/sloww to perform the attack on one of my remote nodes, but any other implementation of...

Shopify: subdomain Takeover at blog.exchangemarketplace.com

Hi , I believe that exchangemarketplace.com is belong to shopify it was vulnerable to Subdomain Takeover so I takeover it to my shopify store Poc : goto blog.exchangemarketplace.com Suggested fix : clear your subdomain dns Impact Subdomain Takeover...

h1-5411-CTF: MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more

Hi there dear CTF staff! First of all a huge thank you for the great challenge you put up! I've found it super exciting and the learning curve has been steep. For this case, I was first wondering if this is a part of the actual CTF, but after some inspecting, it surely doesn't seem so! I did even...

Brave Software: Field Day With Protocol Handlers

Summary ===================== When launching a protocol such as mailto:, SEARCH:, or bitcoin:, Brave only asks to allow the protocol to be opened by an external application. You can select on whether or not to remember the decision or not and to allow or deny it. The issue is that upon selecting...

h1-5411-CTF: H1-5411 CTF Writeup

So, Hackerone posted a tweet about the Meme CTF Where barcode was in the tweet image by scanning it and decoding from hex I found this link : https://h1-5411.h1ctf.com/ where we can create/generate a memes and for generating the meme this was used form GitHub which i found in source code analysis...

Brave Software: chrome://brave navigation from web

Summary: It's possible to navigate to the infamous 'chrome://brave' and all other privileged page from web, requiring only a single click. This is possible by opening popups with the 'noopener' attribute. Products affected: Brave: 0.24.0 V8: 6.9.427.23 rev: f657f15bf7e0e0c50a2b854c6b05edb59bfc556...

h1-5411-CTF: Remote Command Execution in a internal server to get the flag file

Summary: After source code disclosure using a LFI vulnerability and using PHP object injection with XXE I was able to find an internal service at port 1337. Using the SSRF through XXE I sent a HTTP request to this internal service and discovered a python object injection using status parameter,...

Shopify: PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard

Hi, I'm not too sure if this is intentional and a expected feature or was it really an unnecessary information disclosure. If this is intentional, kindly close this as Informative or allow me to self-close so as not affect my signal. From my perspective, I noticed 2 issues, PART 1: Using Partners...

h1-5411-CTF: RCE via Local File Read -> php unserialization-> XXE -> unpickling

Summary: It was possible to escalate to Remote Code Execution via different bugs such as local file read, php object injection, XML External Entity and Un-Pickling of Python serialized object. Description: Using local file read it was discovered that the php code was vulnerable to php object...

Shopify: Stored xss

Description : WAF cut html tages but when put before tages we can bypass it : . Step to reproduce : 1-Open your store account 2-Navigate to https://xxx.myshopify.com/admin/settings/general 3-Put your street address xss payload xss" 4-Go to https://xxx.myshopify.com/admin/dashboards/live 5-XSS ale...

Chaturbate: Chaturbate "/chat_ignore_list/" endpoint does not check for Account status: Disabled before adding Ignore via POST

Summary Chaturbate.com provides the ability for its users when in chat to ignore other users in chat rooms via DM etc by adding their camhandle name to ignorelist via HUI Actually this is just a POST to /chatignorelist/ getting as a parameter the username which is the camhandle name in order to a...

Miniclip: xss in miniclip.com

I know this is out of scope but I thought maybe you would like to know about it. video attached Impact Steal session cookies, install keylogger etc etc...

Chaturbate: Missing CSRF Protection in /stats EndPoint.

EndPoint /affiliates/stats. doesnot verify the CSRF Tokens Steps To Reproduce: 1. Login with the your account 2. Navigate to the URL https://chaturbate.com/affiliates/stats.. 3. Check the stats in default its todays date or this week in select period. 4. Intercept the request and change the...

Node.js: Pull Request #12949 - Security Implications without CVE assignment

Summary: Pull Request 12949 has security implications but it was not assigned a CVE by the Node team. It is being reported by Qualys as a 6.8 severity issue without a CVE. Description: Here is the commit and pull request - https://github.com/nodejs/node/commit/010f864426...

h1-5411-CTF: CTF Writeup flag{cha1n1ng_bugs_f0r_fun_4nd_pr0f1t?_or_rep0rt_an_LF1}

We have attached the writeup, the CTF was solved by me and Chapuka. We would like to publish our writeup for the CTF in our blog, when can we do that? It was a great CTF, it's a shame we are not @Buenos Aires right now :/ Impact...

Slack: Linux Desktop application slack executable does not use pie / no ASLR

The slack binary from the Linux desktop application is no position independent executable: $ file usr/lib/slack/slack usr/lib/slack/slack: ELF 64-bit LSB executable, x86-64, version 1 SYSV, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped pie executables...

Brave Software: RCE: DnDing shortcut files to chrome://brave allows loading HTML files in Muon's context

Summary: \395737 has shown that Brave supports chrome://brave/ URLs. The Brave team introduced a patch which blocks navigation to chrome://brave and removed chrome.remote.require to prevent command execution on the machine. Navigation to chrome://brave via shortcut files From my understanding: 1...

GitLab: [Admin Panel] CSRF to resume/pause runner

Hi, Just found a CSRF in admin panel of gitlab instance to pause/resume runner. Steps to reproduce - http://gitlabinstance/admin/runners/:runnerid/resume - http://gitlabinstance/admin/runners/:runnerid/pause Video: ███████ password: ██████████ Impact Just found a CSRF in admin panel of gitlab...

h1-5411-CTF: h1-5411-CTF report: LFI / Deserialization / XXE vulnerability,

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: h1-5411-ctf write-up The CTF...

h1-5411-CTF: Solution for h15411's CTF challenge

Baby steps Earlier today a friend tipped me off about an ongoing CTF challenge that was being run by HackerOne and would get the first ten winners a ticket to participate in h15411, which will be a live-hacking event happening in Buenos Aires. This immediately caught my attention and I decided to...

h1-5411-CTF: Flag WriteUp

Hello everyone , here is my writeup : Intro First I decoded the QR Code of the tweet , decoding to Here you go: 68747470733a2f2f68312d353431312e68316374662e636f6d . Decoding the hex value we get the challenge URL : https://h1-5411.h1ctf.com Path traversal + local file read On the website I found...

Brave Software: chrome://brave can still be navigated to, leading to RCE

Summary: 'chrome://brave' can be navigated to using the middle mouse click or normal click with CTRL held IFF coming from a bookmark. I am also using a small bug to actually trick a user into bookmarking our crafted URL through drag and drop. Products affected: Brave: 0.24.0 V8: 6.9.427.23 rev:...

QIWI: [*.rocketbank.ru] Web Cache Deception & XSS

Практически все сайты .rocketbank.ru, основанные на readymag.rocketbank.ru, уязвимы к Web Cache Deception и XSS. Пример запроса: http GET /?xx HTTP/1.1 Host: wknd.rocketbank.ru X-Forwarded-Host: cacheattack'"alertdocument.domain HTTP ответ: html alertdocument.domain/friends/" alertdocument.domain...

Upserve : Reflected xss on theacademy.upserve.com

Vulnerabilty Reflected xss in https://theacademy.upserve.com. STEPS TO REPRODUCE 1. Go to https://theacademy.upserve.com/playlists/all-videos/. 2. Click on any video to watch from the playlist and capture the request in burp. 3. you have to capture the request to...

h1-5411-CTF: H1-5411 CTF Write-up by erbbysam and ziot

@erbbysam and I recently set out to beat the latest CTF challenge hosted by HackerOne. Here is a write-up with the process we took from start to finish. The h1-5411 CTF begins with a tweet from HackerOne: https://twitter.com/Hacker0x01/status/1044974142150373378 F351665 This leads to a website...

h1-5411-CTF: flag{cha1n1ng_bugs_f0r_fun_4nd_pr0f1t?_or_rep0rt_an_LF1}

Got the flag: flagcha1n1ngbugsf0rfun4ndpr0f1t?orrep0rtanLF1 Will submit the writeup as soon as I finalize it. Impact -...

PayPal: IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users

PayPal Business Accounts allow account owners to create multiple secondary users with specific privileges assigned to their employees. This submission identified a method that made it possible for a Business Account owner to assign secondary users from other accounts. The new secondary user would...

New Relic: WordPress username enumeration (/author)

@rootbakar identified a previously-reported issue where authors could be viewed from an endpoint within our WordPress blog. As authors are intended to be public, this was closed as not having any security impact to the blog...