Boozt Fashion AB: Bruteforce Unlimited number of password attempts

Hi team, This is my first ever report. So, thank you for your patience! URL: https://www.boozt.com/login Browser: Mozilla Firefox 55.0.2 64-bit on Ubuntu Tool: Burp Intruder Boozt account created for testing purposes only. I noticed that on your login page, an attacker can Brute force a login...

Aspen: client_secret Token disclosure

Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...

██████: Remote Code Execution on Proxy Service (as root)

The proxy service used to provide researchers with access to certain programs on ██████ allows access to AWS's Metadata API. This Metadata API in turn is configured to expose temporary AWS access credentials for the AWS EC2 Run Command role. When this role is assumed by an AWS client e.g. the CLI...

Aspen: No Rate Limit (Leads to huge email flooding/email bombing)

Dear sir, At first,i want to say that this sensitive action definitely should be set with rate limit. Note:-This is about huge bombing/brute force on any endpoints. Vulnerability:- -No rate limit has been set for generating account confirmation emails for accounts on above selected domain which i...

Unikrn: CSRF in Raffles Ticket Purchasing

Description: ======== An API endpoint get executed with no CSRF prevention, the endpoint did not verify sessionid required in the post form. An attacker can crafted malicious form Poc, which is executed by authenticated user action leading to huge balance lost. Poc: === Recommendations:...

Slack: Unauthenticated LFI revealing log information

@juji found a bug which allowed the disclosure of local files on certain servers - this included PHP files and logs. We performed a thorough investigation to ensure that this issue was not exploited, and as a precaution revoked tokens which were inadvertently logged. Thanks @juji! Write-up...

Bitwarden: Organization Admin Privilege Escalation To Owner

Summary It seems there is an issue with your roles which allows an admin to escalate his own privileges to owner and takeover the organization. Reproduce 1. Create an account, accountA 2. Create another account, accountB 3. Create an organization under accountA and invite accountB to that...

U.S. Dept Of Defense: SQL injections

Summary: An email is not well handeled and leads to sql injection. Description: This request POST /FileTransfer/Upload HTTP/1.1 Host: www.███████ The parameter from is injectable and leads to valid sql injection. Impact I didn't go all out and get a shell but, an attaker could exctract db...

Internet Bug Bounty: Perl $ENV Key Stack Buffer Overflow

The CPerlHost::Add method in win32\perlhost.h is vulnerable to a stack buffer overflow. void CPerlHost::AddLPCSTR lpStr char szBuffer1024; LPSTR lpPtr; int index, length = strlenlpStr+1; forindex = 0; lpStrindex != '\0' && lpStrindex != '='; ++index szBufferindex = lpStrindex; szBufferindex = '\0...

Aspen: Cross-origin resource sharing (CORS)

Cross-origin resource sharing CORS is a mechanism that allows restricted resources e.g. fonts on a web page to be requested from another domain outside the domain from which the resource originated. The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returni...

Aspen: Server Path Disclosure

Hi Sir, I m Mahesh, Individual websecurity Researcher. i found server path disclosure in flask.io http://flask.aspen.io/en/latest/ http://flask.aspen.io/en/latest/index.html i found another path disclosure in django.io http://django.aspen.io/en/latest/ http://django.aspen.io/en/latest/index.html...

Razer US: DOM XSS and Open Redirect on the themes.razerzone.com

We appreciate the report and look forward to working with sp1d3rs in the future. I discovered the Open Redirect on the https://themes.razerzone.com/developers/signin endpoint. The root cause of the redirect was the insecure changing of window.location without validation - the original URL paramet...

Aspen: aspen | clickjacking

Hi Team, Found vulnerability of clickjacking on the domain "aspen.io". Please refer the below attached screenshot as POC. Clickjack test page Website is vulnerable to clickjacking! 2.save it as .html eg cj.html 3.and just simply open that in browser Issue Details :Clickjacking User Interface...

Aspen: Password reset token leak on third party website via Referer header

Hi Security Team, Description It has been identified that the application is leaking referrer token to third party sites. In this case it was found that the password reset token is being leaked to third party sites which is a issue knowing the fact that it can allow any malicious users to use the...

Bitwarden: Mailgun misconfiguration on email.bitwarden.com

Hi, While checking the subdomains i found that the subdomain email.bitwarden.com upon navigating downloads a file saying "Mailgun Magnificent API" And has the following DNS info DNS Records for email.bitwarden.com Hostname Type TTL Priority Content email.bitwarden.com SOA 899 ns-586.awsdns-09.net...

Bitwarden: Export vault feature is vulnerable to CSV injection

Hello guys I don't know if you care about this issue but it seems that the export feature in your https://vault.bitwarden.com//tools is vulnerable to CSV injection. If a CSV contains a malicious command it may have big impact Even though there is a popup notification for users before opening the...

Brave Software: Download of (later executed) .NET installer over insecure channel

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: Execution of file NDP-KB2901954-Web.exe fetched via...

Brave Software: Arbitrary local code execution via DLL hijacking from executable installer

NOTE! Thanks for submitting a report! Please fill all sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty. Summary: The executable installer BraveSetup-ia32.exe is vulnerable to DLL hijacking: it...

Razer US: Reflected XSS in deals.razerzone.com via the interesting parameter.

Summary --- deals.razerzone.com is vulnerable to Reflected XSS via the interesting parameter. Affected Code --- html var ThisPageOn = "recommended", pageNum = 2, isLoading = false, delIntresItem = 0, delNotIntresItem = 0, delOwnedItem = 0, intres = -1 abba alert1 ; var ownedLang = "OWNED",...

Razer US: Reflected XSS on the https://deals.razerzone.com/json/translation endpoint

Thanks to SP1D3RS for the great report and working with the team on this one. This was a trivial POST-XSS, caused by using text/html Content-Type on the JSON endpoint, and ability to control the part of the response using unsanitized input. Why I disclosed it if this is a trivial issue? I pretty...

Internet Bug Bounty: Interger overflow in eval trigger write out of bound

Hi security team, i reported some samples triggered crash in eval funtion in perl. The bug come because variable start and items used type I32 which takes half the range of linet and folds it into negative numbers, leading to trying to store the lines at negative indexes...

GSA Bounty: SSRF/XSPA in labs.data.gov/dashboard/validate

Hi. This vulnerability allows access to all ports locally. Which is not visible from the web. 1We need an interim site file index.php 2Next we write in index.php 3Next go to https://labs.data.gov/dashboard/validate And write url - for example http://example/index.php If the port will be open...

Dropbox: Android - Access of some not exported content providers

The report indicates a flaw in our Android application that would allow a malicious app to gain read/write access to some cached files provided the attacker knows the name of the files and other minor pieces of information. The vulnerability was caused by not validating the package name of an...

Rockstar Games: Client-side Template Injection in Search, user email/token leak and maybe sandbox escape

In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However...

Legal Robot: Improper Implementation of Password strength checker

Hi, I have seen Improper Implementation of Password strength checker for registration and login page. Once it suggest complex password, one can alter the password but the complexity remain the same Its usually related to Ajax or auto-reload implementation. PoC ------------------------------------...

MapsMarker.com e.U.: facebook button URL should be HTTPS

hi team .. l click to facebook button on https://www.mapsmarker.com/ outgoing links not use HTTPS please fix soon This is just for the awareness to use HTTPS everywhere, even for outgoing links - where it's possible. Treat this report with some salt, not as in hashes. POC screenshot...

New Relic: Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts

@jonbottarini discovered an issue where names associated with arbitrary existing email addresses can be revealed in the Alerts Notification Channel UI. As with similar previously-reported issues, this was resolved by obfuscating that information before it's presented...

Shopify: Stored XSS in partners dashboard

Hello Stored XSS and UI redressing on https://partners.shopify.com/partnerID/confirm. PoC: 1.Change your First Name and Last Name with XSS payload on https://accounts.shopify.com/account 2.Create an account on https://partners.shopify.com/ or if you have an account on...

Rockstar Games: Leak IP internal

The researcher found an old marketing web application for one of our previous titles that was not properly decommissioned. As a result, an internal IP address and a set of DB credentials were being exposed. Fortunately, the database in question had already been decommissioned so the credentials...

Instacart: Bruteforcing password reset tokens, could lead to account takeover

Hey Instacart security team, Description When resetting a new password on https://shoppers.instacart.com/password you will receive an email with a reset link. when clicking on this link. you go to this page: https://shoppers.instacart.com/password/edit?resetpasswordtoken=YourToken when entering a...

HackerOne: Banned researcher gets email updates on a private program.

Hi Team, I found out that after getting banned from the program, I still getting email updates about the private program, e.g. access of beta product, new scope changes etc. Those private messages can contain some important data that program doesn't want to share with the banned researcher for ex...

Zomato: Admin Access to a domain used for development and admin access to internal dashboards on that domain

@prateek0490 Was able to find our development server without any authentication. Which leads to leak the user data and some internal dashboards...

New Relic: NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure)

@jonbottarini identified an issue with an API used to populate the UI across different products. This API wasn't properly validating the account ID for certain requests, returning information for any ID presented. I wrote up a quick overview about this issue here:...

Zomato: Potential server misconfiguration leads to disclosure of vendor/ directory

Hi, Apologies for the weakness label, it was the closest I could find for what appears to be a server misconfiguration. Typically, in MVC frameworks like Slim which I see you are using here, Symfony, Laravel, etc., the front controller is the only thing exposed, leaving vendor/, logs/, and others...

Avito: [avito.ru] Утекают креды от платежных провайдеров

Происходила утечка реквизитов от внешних систем в исходном коде страницы сайта...

Avito: [avito.ru] ImageMagick uninitialized image palette

Привет! При подаче объявления можно загружать фотографии. Они обрабатываются уязвимой версией ImageMagick. Для эксплуатация запускаем https://github.com/neex/gifoeb Генерируем payload. r=640x480 mkdir -p forupload && for i in seq 1 10; do ./gifoeb gen $r forupload/$i.gif; done Загружаем наши...

Internet Bug Bounty: Format string implementation vulnerability, resulting in code execution

In a security audit to the sprintf implementation in perl version 5.24.1 I found a major security vulnerability, here are the full details. Timeline: ====== 6th of May, 2017 - disclosure to the PERL security mailing list 8th of May, 2017 - vulnerability confirmed by PERL's security group, found...

HackerOne: Homograph fix Bypass

Hello Hackerone! I have possibly found a way to bypass your current Homograph Attack Fix. Lets look at two HACKERONE Redirect URL: CASE 1: https://hackerone.com/redirect?signature=829727b4188c43dcf394fd841fd19a8b7f391bd1&url=https%3A%2F%2Fwww.yelp.com%2F Got the above link generated by posting...

Nextcloud: NextCloud is also Accepting OCTET-STREAM Type of Documents instead of jpg or Imge Files Only

Summary: I noticed that NextCloud is accepting OCTET-STREAM Type of Files Where you have Background/Logo Upload Option. I Believe that NextCloud is Checking for Such Type of Files but i can upload application/octet-stream Type of Documents by Crafting a Special Type of File In this case i created...

Zomato: SSRF in https://www.zomato.com████ allows reading local files and website source code

@nbsp found a SSRF vulnerability which leads to read local files from the web server source code & system files. We have resolved the issue quickly and rewarded the researcher...

Lyst: Bypassing one-time checkout router page (revealing payment information)

Description: ======== When user submits for a checkout, the checkout router page /checkout-router/ID/ is accessible only once, which can be bypassed by crafting the checkout ID in cookie basketkey send to the page /new/checkout/order/. combining with brute-force attack, if the ID is valid a resul...

Automattic: [app.simplenote.com] Stored XSS via Markdown SVG filter bypass

Hi, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript in the app.simplenote.com context. Proof of concept Before proceeding to reproduce this vulnerability, please log in to app.simplenote.com and create a new note with...

GitLab: [Markdown] Stored XSS via character encoding parser bypass

Hi @briann and team, A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary...

HackerOne: resolved bugs in a program are public despite the program settings

Summary: when navigating to https://hackerone.com/YOURPROGRAMHANDLE/displayoptions and unchecking the Reports resolved checkbox, the resolved bugs number won't be public at the program page, but going to https://hackerone.com/directory?query=YOURPROGRAMHANDLE , the number of the resolved bug will...

Shopify: Shopify admin authentication bypass using partners.shopify.com

@uzsunny reported that by creating two partner accounts sharing the same business email, it was possible to be granted "collaborator" access to any store without any merchant interaction. We tracked down the bug to incorrect logic in a piece of code that was meant to automatically convert an...

Informatica: [marketplace.informatica.com] - Sensitive Data Exposure

The researcher has identified and reported a Sensitive Data Exposure vulnerability in one of the Informatica's domain, and helped us in resolving the issue...

Legal Robot: Clickjacking in Legalrobot app

Dear Team, POC Please find attached screenshots Steps to reproduce: create index.html file with following content: Open index.html in browser Actual result: Legalrobot email verification page is viewed in iframe. Remediation: Frame busting technique is the better framing protection technique...

Razer US: Reflected XSS in razer-id.razerzone.com

The researcher discovered a reflective XSS that allowed the injection of a javascript scheme into a URL on the razer-id server. This was reported on 9/21 and the fix deployed to production on 10/19...

VK.com: Узнаем название и аватарку частной группы, по ID приложения.

Просмотр названия и аватарки частной группы. Отображение названия частной группы и миниатюры аватарки...

RubyGems: Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations

Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations The RubyGems installer attempts to prevent a gem from writing any files outside the install directory; however it is possible to bypass the check with a symbolic link in a crafted gem. Example structure of malicio...