Posts Web Vulnerabilities WriteUps
Post
Cancel

Web Vulnerabilities WriteUps

Posted Feb 16 2022-02-16T00:00:00+02:00 by Yasser Elsnbay
Vulnerabilities Name
1️ - Cross Site Scripting (XSS)
2️ - Content Security Policy (CSP)
3️ - Html Injection
4️ - Clickjacking (UI redressing)
5️ - Cross Site Request Forgery (CSRF)
6️ - Cross Origin Resource Sharing (CORS)
7️ - Same Origin Policy (SOP)
8️ - Open Redirect
9️ - Information Disclosure
10 - Denial Of Service (DOS)
1️1️ - Simple Storage Service (S3)
1️2️ - SQLI
1️3️ - EXternal Xml Entity (XXE)
1️4️ - Insecure Direct Object References (IDOR)
1️5️ - HTTP Parameter Pollution (HPP)
1️6️ - Host Header Injection (HHI)
1️7️ - Server Side Request Forgery (SSRF)
1️8️ - OS Command Injection
1️9️ - LFI/LFD - Path Traversal - RFI
2️0️ - File Upload

Cross Site Scripting (XSS)

  1. From P5 to P2 to 100 BXSS
  2. Google Acquisition XSS (Apigee)
  3. DOM-Based XSS at accounts.google.com by Google Voice Extension
  4. XSS on Microsoft.com via Angular Js template injection
  5. Researching Polymorphic Images for XSS on Google Scholar
  6. Netflix Party Simple XSS
  7. Stored XSS in google nest
  8. Self XSS to persistent XSS on login portal
  9. Universal XSS affecting Firefox
  10. XSS WAF Character limitation bypass like a boss
  11. Self XSS to Account Takeover
  12. Reflected XSS on Microsoft subdomains
  13. The tricky XSS
  14. Reflected XSS in AT&T
  15. XSS on Google using Acunetix
  16. Exploiting websocket application wide XSS
  17. Reflected XSS with HTTP Smuggling
  18. XSS on Facebook instagram CDN server bypassing signature protection
  19. XSS on Facebook’s Acquisition Oculus
  20. XSS on sony Subdomain
  21. Exploiting Self XSS
  22. Effortlessly Finding Cross Site Scripting inclusion XSSI
  23. Bugbounty a DOM XSS
  24. Blind XSS : a mind Game
  25. FireFox IOS QR code reader XSS(CVE-2019-17003)
  26. HTML injection to XSS
  27. CVE-2020-13487 Authenticated Stored Cross-site Scripting in bbPress
  28. XSS at error page of repository code
  29. XSS like a Pro
  30. How I turned self XSS to stored XSS via CSRF
  31. XSS Stored on Outlook web
  32. XSS Bug 20 Chars Blind XSS Payload
  33. XSS in AMP4EMAIL(DOM clobbering)
  34. DOM Based XSS bug bounty writeup
  35. XSS will never die
  36. 5000 USD XSS issue at avast desktop antivirus
  37. XSS to account takeover
  38. How Paypal helped me to generate XSS
  39. Bypass Uppercase filters like a PRO(XSS advanced methods)
  40. Stealing login credentials with reflected XSS
  41. bughunting xss on cookie popup warning
  42. XSS is love
  43. Oneplus XSS vulnerability in customer support portal
  44. Exploiting cookie based XSS by finding RCE
  45. Stored XSS on zendesk via macros
  46. XSS in ZOHO main
  47. DOM based XSS in private program
  48. Bugbounty writeup : Take Attention and get stored XSS
  49. How I xssed admin account
  50. Clickjacking XSS on google
  51. Stored XSS on laporbugid
  52. Leveraging angularjs based XSS to privilege escalation
  53. How I found XSS by searching in shodan
  54. Chaining caache poisining to stored XSS
  55. XSS to RCE
  56. XSS on twitter worth 1120
  57. Reflected XSS in ebay.com
  58. Cookie based XSS exolpoitation 2300 bug bounty
  59. What do netcat -SMTP-self XSS have in common
  60. XSS on google custom search engine
  61. Story of a Full Account Takeover vulnerability N/A to Accepted
  62. Yeah I got p2 in 1 minute stored XSS via markdown editor
  63. Stored XSS on indeed
  64. Self XSS to evil XSS
  65. How a classical XSS can lead to persistent ATO vulnerability
  66. Reflected XSS in tokopedia train ticket
  67. Bypassing XSS filter and stealing user credit card data
  68. Googleplex.com blind XSS
  69. Reflected XSS on error page
  70. How I was able to get private ticket response panel and fortigate web panel via blind XSS
  71. Unicode vs WAF
  72. Story of URI based XSS with some simple google dorking
  73. Stored XSS on edmodo
  74. XSSed my way to 1000
  75. Try harder for XSS
  76. From parameter pollution to XSS
  77. MIME sniffing XSS
  78. Stored XSS on techprofile Microsoft
  79. Tale of a wormable Twitter XSS
  80. XSS attacks google bot index manipulation
  81. From Reflected XSS to Account takeover
  82. Stealing local storage data through XSS
  83. CSRF attack can lead to stored XSS
  84. XSS Reflected (filter bypass)
  85. XSS protection bypass on hackerone private program
  86. Just 5 minutes to get my 2nd Stored XSS on edmodo.com
  87. Multiple XSS in skype.com
  88. Obtaining XSS using moodle featured and minor bugs
  89. XSS on 403 forbidden bypass akamai WAF
  90. How I was turn self XSS into reflected XSS
  91. A Tale of 3 XSS
  92. Stored XSS on Google.com
  93. Stored XSS in the Guides gameplaersion (www.dota2.com)
  94. Admin google.com reflected XSS
  95. Paypal Stored security bypass
  96. Paypal DOM XSS main domain
  97. Bugbounty The 5k$ Google XSS
  98. Facebook stored XSS
  99. Ebay mobile reflected XSS
  100. Magix bugbounty XSS writeup

Content Security Policy (CSP)

  1. csp bypass + xss
  2. www.hackerone.com website CSP “script-src” includes “unsafe-inline”
  3. https://wakatime.com/ website CSP “script-src” includes “unsafe-inline”
  4. Unsafe Inline and Eval CSP Usage

Html Injection

  1. HTML-injection-in-clause-email
  2. HTML-injection-to-xss-bypass-in
  3. HTML-injection-in-email
  4. Chain-the-vulnerabilities-and-take-your-report-impact-on-the-moon-csrf-to-html-injection-which
  5. Stored-iframe-injection-csrf-account-takeover
  6. Hunting-good-bugs-with-only-html
  7. Unauthenticated-account-takeover-through-http-leak
  8. HTML-injection-unique-exploitation
  9. How-i-caught-multiple-vulnerabilities-in-udemy-com
  10. Got-easiest-bounty-with-html-injection-via-email-confirmation

Clickjacking (UI redressing)

  1. Clickjacking-on-google-myaccount-worth-7500
  2. How-i-earned-750-bounty-reward-from-at-t-bug-bounty-adesh-kolte
  3. Binary-com-clickjacking-vulnerability-exploiting-html5-security-features-SandBox
  4. 1800-worth-clickjacking-1f92e79d0414
  5. Account-taker-with-clickjacking
  6. Clickjacking-in-google-docs-and-voice-typing-feature-c481d00b020a
  7. Google-clickjacking
  8. https://medium.com/bugbountywriteup/chaining-self-xss-with-ui-redressing-is-leading-to-session-hijacking-pwn-users-like-a-boss-efb46249cd14
  9. Facebook-clickjacking-how-we-put-a-new-dress-on-facebook-ui
  10. Clickjacking-xss-on-google-org
  11. Redressing Instagram leaking application tokens via Instagram clickjacking vulnerability
  12. Microsoft Yammer clickjacking exploiting HTML5 security features
  13. Highly wormable clickjacking in player card
  14. Twitter Periscope Clickjacking Vulnerability
  15. Clickjacking on donation page
  16. Stealing User emails by clickjacking cards.twitter.com/xxx/xxx
  17. Clickjacking at join.nordvpn.com
  18. Clickjacking is the admin page
  19. Clickjacking on cas.acronis.com login page
  20. Clickjacking at ylands.com

Cross Site Request Forgery (CSRF)

  1. Paypal bug bounty: Updating the Paypal. me profile picture without consent (CSRF attack) - Florian Courtial
  2. Hacking PayPal Accounts with one click (Patched) - Yasser Ali
  3. Add tweet to collection CSRF - Vijay Kumar
  4. Facebookmarketingdevelopers.com: Proxies, CSRF Quandry, and API Fun - phwd
  5. How I Hack your Beats account? Apple Bug Bounty - @aaditya_purani
  6. FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones
  7. Hacking Facebook accounts using CSRF in Oculus-Facebook integration
  8. Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019
  9. Cross-Site Request Forgery Attack - PwnFunction
  10. Wiping Out CSRF - Joe Rozner - Oct 17, 2017
  11. Bypass referer check logic for CSRF
  12. Bypass-referer-check-logic-for-csrf.html
  13. Messenger-site-wide-csrf/
  14. Bypass-csrf-with-clickjacking-worth-1250-6c70cc263f40
  15. Bypass CSRF with clickjacking on Google org
  16. CSRF combined with IDOR within Document Converter exposes files
  17. Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login
  18. How-i-could-have-taken-over-any-pinterest-account
  19. Leaking-WordPress-CSRF-Tokens
  20. Paypal-bbp-i-couldve-deleted-all-smc
  21. Instagram-delete-media-csrf.html
  22. Wordpress-csrf-to-rce/
  23. RCE-on-a-facebook-server
  24. Collecting-shells-by-the-sea-of-nas-vulnerabilities
  25. CORS-to-CSRF-attack
  26. 1800-in-less-than-hour
  27. Googlebugs
  28. Site-wide-csrf-on-popular-program
  29. Using-CSRF-i-got-weird-account-takeover
  30. Admin-hijacked-by-sea-surf-pirates
  31. How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup)
  32. How-i-was-able-to-delete-13k-microsoft-translator-projects
  33. Fastest-fix-on-open-bug-bounty-platform
  34. How-a-simple-csrf-attack-turned-into-a-p1-level-bug
  35. CSRF-critical-exploitable-in-infected-site
  36. Oauth-misconfiguration-lead-to-complete-account-takeover
  37. A-very-useful-technique-to-bypass-the-csrf-protection-for-fun-and-profit
  38. How-i-turned-self-xss-to-stored-via-csrf
  39. CSRF-vulnerability-leads-to-user-profile-change-in-microsoft-express-logic
  40. How-i-got-500-from-microsoft-for-csrf-vulnerability
  41. How-i-made-1000-at-t-bug-bounty-h1
  42. Lintern-ute-account-takeover-via-csrf-adesh-kolte
  43. How-i-found-password-bypass-vulnerability-on-private-document-at-scribd-com
  44. Brute-forcing-user-ids-via-csrf-to-delete-all-users-with-csrf-attack
  45. Self-xss-to-account-takeover
  46. Obtaining-xss-using-moodle-features-and-minor-bugs
  47. How-i-hacked-companies-related-to-the-crypto-currency-and-earned-60-000
  48. Stored-iframe-injection-csrf-account-takeover
  49. Account-taken-over-in-style
  50. Fastest-fix-on-open-bug-bounty-platform
  51. CSRF-email-confirmation-vulnerability-for-gmail-g-suite-in-facebook
  52. CSRF-bypass-using-cross-frame-scripting
  53. CSRF CSRF CSRF
  54. My-first-csrf-to-account-takeover-worth-750
  55. Always-escalate-from-self-xss-to-persistent-xss-on-login-portal
  56. Exploiting-websocket-application-wide-xss-csrf
  57. JSON-CSRF-attack-on-a-social-networking-site-hackerone-platform
  58. How-i-csrfd-my-first-bounty
  59. Self-xss-csrf-to-stored-xss
  60. ATO-worth-900
  61. Bypass-csrf-with-clickjacking-worth-1250
  62. CSRF-token-bypasss-a-tale-of-my-2k-bug
  63. How-i-exploit-the-json-csrf-with-method-override-technique
  64. ATO-by-chaining-two-vulnerabilities
  65. Account-takeover-using-csrf-json-based
  66. How-i-hacked-one-cryptocurrency-service
  67. 2fa-bypass-via-csrf-attack
  68. The-accounttakeover-killing-chain
  69. 4x-csrfs-chained-for-company-account-takeover
  70. A-simple-bypass-of-registration-activation-that-lead-to-many-bug-a-story-about-how-my-friend
  71. Critical-bypass-csrf-protection-on-ibm
  72. CSRF-account-takeover-explained-automated-manual-bug-bounty
  73. CSRF-account-takeover-in-a-company-worth-1b
  74. CSRF-attack-can-lead-to-stored-xss
  75. How-i-hijacked-your-account-when-you-opened-my-cat-picture
  76. Stealing-downloads-from-slack-users
  77. Chain_XSS
  78. How-i-was-able-to-bypass-the-current-password/
  79. RXSS-CSRF-bypass-to-account-takeover
  80. XSS-to-ATO
  81. Site-wide-CSRF-GraphQL
  82. Google-bug-bounty-csrf-in-learndigital-withgoogle-com
  83. An-inconsistent-CSRF
  84. Yet-other-examples-of-abusing-CSRF-in-logout/
  85. Facebook-privacy-bug/
  86. An interesting Google vulnerability that got me 3133.7 reward.
  87. Facebook CSRF protection bypass which leads to Account Takeover.
  88. Facebook CSRF bug which lead to Instagram Partial account takeover.
  89. CSRF logs the victim into attacker’s account
  90. CSRF log victim into the attacker account
  91. Login csrf in analytics.mopub.com
  92. CRITICAL Full account takeover using CSRF
  93. CSRF at Apply to this program that lead to submit your request automatic with out any validation
  94. CSRF - Close Account
  95. CSRF: add item to victim’s cart automatically (starbucks.com - updatecart)
  96. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers
  97. CSRF - Modify Project Settings
  98. Cross-Site Request Forgery (CSRF)
  99. CSRF on https://market.my.games
  100. CSRF - Modify Company Info

Cross Origin Resource Sharing (CORS)

  1. CORS bug on google’s 404 page (rewarded)
  2. CORS misconfiguration leading to private information disclosure
  3. CORS misconfiguration account takeover out of scope to grab items in scope
  4. Chrome CORS
  5. Bypassing CORS
  6. An unexploited CORS misconfiguration reflects further issues
  7. Think outside the scope of advanced cors exploitation techniques
  8. A simple CORS misconfiguration leaked private post of Twitter Facebook Instagram
  9. Exploiting CORS misconfiguration
  10. Exploiting-misconfigured-cors-via-wildcard-subdomains
  11. Exploiting insecure CORS API api.artsy.net
  12. Pre domain wildcard CORS exploitation
  13. Exploiting misconfigured CORS on popular BTC site
  14. Cross-origin resource sharing misconfig steal user information bughunterboy bughunterboy
  15. [██████] Cross-origin resource sharing misconfiguration (CORS) Vadim jarvis7
  16. CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover
  17. CORS Misconfiguration [www.zomato.com], could lead to disclosure of sensitive information
  18. CORS misconfiguration
  19. CORS Misconfiguration Leads to Exposing User Data
  20. CORS Bypassing Misconfiguration Leads to Sensitive Exposure
  21. CORS misconfiguration allows to steal client’s “password”, Authorization token and the customer details e.g. names, SSN, bank account etc.

Same Origin Policy (SOP)

  1. SOP-bypass-via-browser-cache
  2. Google-sites-and-exploiting-same-origin-policy
  3. SOP-bypass
  4. Stealing-local-files-with-simple-html-file
  5. Hacking-the-same-origin-policy
  6. Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml
  7. CSRF possible when SOP Bypass/UXSS is available
  8. SOP bypass using browser cache

Open Redirect

  1. [Report-246897] Open Redirect on Twitter: Eldeeb
  2. [Report-103772] Open Redirect on Shopify: .np
  3. [Report-309058] Open Redirect on Wordpress: @
  4. [Report-260744] Open Redirect and XSS on Twitter: https://dev.twitter.com/https:/%5cblackfan.ru/
  5. [Report-320376] Open Redirect on HackerOne: after index.php/XYZ
  6. [Report-111968] Interstitial redirect bypass / Open Redirect on HackerOne Zendesk Session
  7. [Report-244721] Open Redirect on Mail.Ru
  8. [Report-236599] Open Redirect on ExpressionEngine
  9. [Report-299403] Open Redirect on HackerOne: RTLO
  10. [Report-239503] Open Redirect & Information Disclosure on HackerOne
  11. [Report-210875] Open Redirect via Host Header
  12. [Report-119236] Open Redirect on Uber: IP address to a single number
  13. [Report-126203] Open Redirect on Uber
  14. [Report-144525] Open Redirect bypass on New Relic
  15. [Report-104087] Open Redirect bypass using svg on Slack
  16. [Report-179568] Open Redirect via window.opener on Open-Xchange
  17. Open Redirect to RCE on Google Hangouts Electron app & RCE Tweet

Information Disclosure

  1. I-found-gcp-service-account-tokennow GCP
  2. What-is-your-gcp-infra-worthabout-700 GCP
  3. Getting-access-zendesk-gcp GCP
  4. Aaronesau blog Debug
  5. From-github-recon-to-account-takeover ATO
  6. Graphql-bug-to-steal-anyones-address GraphQl
  7. How-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores IMPORTANT
  8. Accessing 2 million Verizon Pay Monthly contracts
  9. Business-logic-plex-tv
  10. Leak-can-i-take-user-information-please
  11. How-i-could-have-hacked-all-uber-accounts
  12. How-i-found-credential-enriched-redis-dump
  13. How-to-look-for-js-files-vulnerability-for-fun-and-profit
  14. Unauthorized-access-to-all-user-information-leaks
  15. How-i-get-my-first-p1-sensitive-information-disclosure-using-wpscan
  16. Recon-to-sensitive-information-disclosure-in-minutes

Denial Of Service (DOS)

  1. Long String DOS
  2. Banner grabbing to DOS and memory corruption
  3. profile-picture name parameter with large value lead to DoS for other users and programs on the platform
  4. XMLRPC.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS)
  5. XMLRPC.php FILE IS enable it will be used for brute force attack and denial of service
  6. DOS on the Issue page by exploiting Mermaid.
  7. Character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error
  8. Permanent DoS with one click.
  9. A very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service
  10. ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages
  11. Denial of Service twitter.com & mobile.twitter.com
  12. DOS attack via comment on Issue
  13. DOS of https://nordvpn.com/ via CVE-2018-6389 exploitation
  14. Denial of Service [Chrome]
  15. DOS: type confusion in mrb_no_method_error
  16. Api.tumblr.com Denial of Service by cookies manipulation
  17. Application DOS via specially crafted payload on 3d.cs.money
  18. Pixel Flood Attack leads to Application level DoS
  19. lack of input validation that can lead Denial of Service (DOS)

Simple Storage Service (S3)

  1. Open AWS S3 bucket leaks all Images uploaded to Zomato chat
  2. AWS S3 bucket writeable for authenticated aws users
  3. Open S3 Bucket Accessible by any Aws User
  4. Open S3 Bucket WriteAble To Any Aws User
  5. API - Amazon S3 bucket misconfiguration
  6. No ACL on S3 Bucket in [https://www.██████████/]
  7. Amazon S3 bucket misconfiguration (share)
  8. Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv)
  9. S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com)
  10. unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software
  11. S3 bucket data at http://rockset-support.s3-us-west-2.amazonaws.com/ reveals user addresses based on latitudes and longitudes.
  12. Writable RubyCi Amazon s3 bucket
  13. public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053]
  14. niche s3 buckets are readable/writeable/deleteable by authorized AWS users
  15. How-i-dumped-millions-of-crypto-currencies-accounts
  16. Subdomain Takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
  17. Subdomain takeover via unsecured s3 bucket

SQLI

  1. SQL injection in Harvard subdomain
  2. SQLi in HackerOne (crit)
  3. SSRF to sqli
  4. Blind sqli Hootsuite
  5. Tesla motors blind sql injection ’ + sleep(10) + ‘
  6. Popping_a_shell_on_the_oculus_developer_portal
  7. Pwning-child-company-to-get-access-to-parentcompanys-slack-team
  8. SQL-injection-in-insert-update-query-without-comma
  9. SQLI-extracting-data-without-knowing-columns-names
  10. SQLI-bootcampnutanix-com-bug-bounty-poc
  11. Zol-zimbabwe-authbypass-sqli-xss
  12. SQLI-login-bypass-autotraders
  13. SQL-injection-via-stopping-the-redirection-to-a-login-page
  14. Yahoo-root-access-sql-injection-tw-yahoo-com
  15. Step-by-step-exploiting-sql-injection
  16. Fileupload-blind-sqli
  17. First-bug-bounty-submission
  18. Exploiting-a-tricky-blind-sql-injection-inside-limit-clause
  19. H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress
  20. Hacking-the-nhs-for-fun-and-no-profit
  21. Hacking-makes-me-forget-my-pain
  22. SQL-injection-vulnerability-in-university-of-cambridge
  23. SQL-injection-bug-bounty
  24. Shodan-is-your-friend-if-you-lose-him-you-will-lose-many
  25. SQL-injection-through-user-agent
  26. Union-based-sql-injection-write-up-a-private-company-site
  27. SQL-injection-for-50-bounty-but-still-worth-reading
  28. Source-code-analysis-in-ysurvey-luminate-bug
  29. SQL-injection-saadahmedx
  30. A-five-minute-sql-i
  31. Bug-bounty-writeups-exploiting-sql-injection-vulnerability
  32. Twitter
  33. Youtube
  34. bypass sql injection #1109311
  35. SQL injection in https://www.acronis.cz/ via the log parameter
  36. blind sql injection
  37. Time based sql injection
  38. [critical] sql injection by GET method
  39. Blind SQL Injection
  40. SQL injection [futexpert.mtngbissau.com]
  41. Sql injection on docs.atavist.com
  42. [windows10.hi-tech.mail.ru] Blind SQL Injection
  43. SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent
  44. Blind SQL injection in Hall of Fap
  45. SQL Injection in ████
  46. SQL Injection in ████

EXternal Xml Entity (XXE)

  1. External-xml-entity-via-file-upload-svg
  2. 0day-writeup-xxe-in-ubercom
  3. An-interesting-xxe-in-sap
  4. Bug-bounty-fastmail
  5. Exploiting-xxe-with-local-dtd-files
  6. XSS-to-XXE-in-Prince
  7. Multiple-vulnerabilities-in-oracle-ebs
  8. From-blind-xxe-to-root-level-file-read-access
  9. SOAP-based-unauthenticated-out-of-band-xml-external-entity-oob-xxe-in-a-help-desk-software
  10. How-i-loose-5005-in-a-day-dos-billion-laugh-attack-xxe
  11. XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx
  12. XXE on sms-be-vip.twitter.com in SXMP Processor

BLIND - XXE OOB ❌

  1. A-tale-of-two-formats-exploiting-insecure-xml-and-zip-file-parsers-to-create
  2. How-I-Found-CVE-2018-8819-Out-of-Band-(OOB)-XXE
  3. XXE-oob-exploitation-at-java-17
  4. Blind-xml-external-entities-out-of-band-channel-vulnerability-paypal-case-study
  5. OOB-xxe-in-prizmdoc-cve-2018-15805
  6. Exploiting-out-of-band-xxe-using
  7. Blind XXE via Powerpoint files
  8. Phone Call to XXE via Interactive Voice Response
  9. XXE in Site Audit function exposing file and directory contents

Insecure Direct Object References (IDOR)

  1. IDOR in HackerOne
  2. IDOR with Geolocation data not stripped from images
  3. IDOR in HackerOne
  4. How-i-could-have-hacked-your-uber-account
  5. IDOR-via-websockets
  6. Fbctf-IDOR/
  7. Disclosing privately shared gaming clips of any user
  8. Adding anyone including non-friend and blocked people as co-host in personal event!
  9. Page analyst could view job application details
  10. Deleting Anyone’s Video Poll
  11. IDOR bug to See hidden slowvote of any user even when you dont have access right
  12. IDOR allow to extract all registered email
  13. Another image removal vulnerability on Facebook
  14. Gsuite Hangouts Chat 5k IDOR
  15. How I pwned a company using IDOR and Blind XSS
  16. Disclose Private Dashboard Chart’s name and data in Facebook Analytics
  17. DoD_IDOR
  18. IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal
  19. IDOR leads to Edit Anyone’s Blogs / Websites
  20. IDOR and statistics leakage in Orders
  21. IDOR in https://3d.cs.money/
  22. IDOR leading to downloading of any attachment
  23. IDOR when moving contents at CrowdSignal
  24. IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email
  25. IDOR to delete images from other stores
  26. IDOR in marketing calendar tool
  27. IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field
  28. IDOR with Geolocation data not stripped from images
  29. IDOR in semrush academy
  30. IDOR on the DELETE /comments/
  31. IDOR [NR Insights] - Modify the filter settings for any NR Insights dashboard through internal_api endpoint
  32. IDOR in editing courses
  33. IDOR when editing email leads to Account Takeover on Atavist
  34. IDOR to view User Order Information
  35. IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter
  36. IDOR - Deleting other user’s signature via /appsuite/api/snippet?action=update (although an error is thrown)
  37. IDOR to view User Order Information

HTTP Parameter Pollution (HPP)

  1. Recaptcha-bypass-via-http-parameter-pollution
  2. Twitter-hpp-vulnerability
  3. Improper-input-validation-add-custom-text-and-urls-in-sms-send-by-snapchat-bug-bounty-poc
  4. Tale-of-account-takeovers-part
  5. Bugbounty-compromising-user-account-how-i-was-able-to-compromise-user-account-via-http
  6. From-parameter-pollution-to-xss
  7. How-i-earned-60k-from-private-program

Host Header Injection (HHI)

  1. Love-story-of-account-takeover-chaining
  2. Host-header-injection
  3. How-i-was-able-to-take-over-any-users-account-with-host-header-injection
  4. Pwn-them-all-bugbounty
  5. How-i-earned-800-for-host-header-injection-vulnerability
  6. 10k-host-header
  7. ATO-via-host-header-poisoning
  8. From-host-header-injection-to-sql-injection
  9. Awesome-host-header-injection-worth-2k
  10. Bugbounty-rewarded-by-securing-vulnerabilities-in-bookmyshow-indias-largest-online-movie
  11. Host Header Injection
  12. Host header injection/redirection signup and login page
  13. Host Header Injection/Redirection in:https://www.instacart.com/
  14. Email link poisoning / Host header attack
  15. Host Header Injection - irccloud.com
  16. Host header injection/redirection via newsletter signup
  17. Host Header Injection/Redirection
  18. Host header Injection
  19. Header Injection In app.legalrobot.com
  20. Password Reset link hijacking via Host Header Poisoning
  21. Host Header Injection/Redirection
  22. Modify Host Header which is sent to email
  23. Host Header Injection / Cache Poisoning
  24. Host Header poisoning on gratipay.com
  25. Host Header is not validated resulting in Open Redirect

Server Side Request Forgery (SSRF)

  1. SSRF to SQLI
  2. Escalating xss in phantomjs image rendering to ssrflocal file read
  3. Escalating-blind-ssrf-get-rce-santosh-kumar-sha
  4. aws-takeover-ssrf-javascript
  5. Local-file-read-via-xss-in-dynamically
  6. AWS-takeover-ssrf-javascript
  7. Downnotifer-ssrf
  8. Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul
  9. Esea-server-side-request-forgery-and-querying-aws-meta-data
  10. Airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat
  11. Escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
  12. Yahoo-small-business-luminate-and-the-not-so-secret-keys
  13. SSRF-vulnerability-in
  14. My-first-ssrf-using-dns-rebinfing/
  15. Bugbounty-a-simple-ssrf/
  16. Blind-ssrf-in-stripe-com-due-to-sentry-misconfiguration
  17. Jow-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira
  18. Escalating-ssrf-to-rce
  19. How-outdated-jira-instances-suffers-from-multiple-security-vulnerabilities
  20. How-i-found-xss-via-ssrf-vulnerability-adesh-kolte
  21. Gain-adfly-smtp-access-with-ssrf-via-gopher-protocol
  22. Pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce
  23. Piercing-the-veal-short-stories-to-read-with-friends
  24. Vimeo-upload-function-ssrf
  25. 1-000-ssrf-in-slack
  26. SSRF-trick-ssrf-xspa-in-microsofts-bing-webmaster-central
  27. Hunting-good-bugs-with-only-html
  28. Blind-ssrf-on-coda-io
  29. Chain-of-hacks-leading-to-database-compromise
  30. The-journey-of-web-cache-firewall-bypass-to-ssrf-to-aws-credentials-compromise
  31. The-unusual-case-of-open-redirection-to-aws-security-credentials-compromise
  32. Pcextreme-nl-fake-bug-bounty
  33. SSRF-on-pdf-generator
  34. Reading-internal-files-using-ssrf-vulnerability
  35. Using-vulnerability-analytics-feature-like-a-boss
  36. SSRF-via-ffmpeg-hls-processing
  37. SSRF-to-read-local-files-and-abusing-the-aws-metadata
  38. SSRF-in-openid-support
  39. Yhe-story-of-blind-ssrf-leads-to-internal-host-discovery
  40. vimeo-ssrf-with-code-execution-potential
  41. Just-another-tale-of-severe-bugs-on-a-private-program
  42. How-i-found-an-ssrf-in-yahoo-guesthouse-recon-wins-8722672e41d4
  43. From-ssrf-to-local-file-disclosure
  44. SSRF-port-issue-hidden-approch
  45. Exploiting-ssrf-like-a-boss-c090dc63d326
  46. Exploiting-an-ssrf-trials-and-tribulations-14c5d8dbd69a
  47. The-bugs-are-out-there-hiding-in-plain-sight-12d056613ea3
  48. Bug-bounty-fastmail
  49. Piercing-the-veil-server-side-request-forgery-to-niprnet-access
  50. SSRF_P4toP2
  51. Old-but-gold-dot-dot-slash-to-get-the-flag-uber-microservice
  52. Google-vrp-ssrf-in-google-cloud-platform-stackdriver
  53. Into-the-borg-ssrf-inside-google-production-network
  54. CVE-2018-16794-on-fs-thefacebook-com
  55. Stored-XSS-and-SSRF-Google
  56. Exploiting-single-request-for-multiple
  57. How-i-got-access-to-local-aws-info-via-jira
  58. SSRF-in.html#.XGWpfioiVM4.twitter
  59. SSRF-reading-local-files-from-downnotifier-server/
  60. Ok-google-give-me-all-your-internal-dns-information/
  61. 01-slack-webrtc-turn-compromise/
  62. Getting-read-access-on-edmodo.html
  63. A-pair-of-plotly-bugs-stored-xss-and-aws-metadata-ssrf/
  64. Exploiting an SSRF trials and tribulations
  65. SSRF on PDF generator
  66. Google VRP SSRF in Google cloud platform stackdriver
  67. Vimeo upload function SSRF
  68. SSRF via ffmeg processing
  69. My first SSRF using DNS rebinding
  70. Bugbounty simple SSRF
  71. SSRF reading local files from downnotifier server
  72. SSRF vulnerability
  73. Gain adfly SMTP access with SSRF via gopher protocol
  74. Blind SSRF in stripe.com due to senntry misconfiguration
  75. SSRF port issue hidden approch
  76. The jorney of web cache firewall bypass to SSRF to AWS credentials compromise
  77. SSRF to local file read and abusing aws metadata
  78. pdfreactor SSRF to root level local files read which lead to RCE
  79. SSRF trick : SSRF XSPA in micosoft’s bing webwaster
  80. Downnotifeer SSRF
  81. Escalating SSRF to RCE
  82. Vimeo SSRF with code execution potential
  83. SSRF in slack
  84. Exploiting SSRF like a boss
  85. AWS takeover SSRF javascript
  86. Into the borg of SSRF inside google production network
  87. SSRF to local file disclosure
  88. How I found an SSRF in yahoo guesthouse (recon wins)
  89. Reading internal files using SSRF vulnerability
  90. Airbnb chaining third party open redirect into SSRF via liveperson chat
  91. SSRF in Exchange leads to ROOT access in all instances
  92. SSRF using Javascript allows to exfill data from Google Metadata
  93. SSRF in Google cloud platform stackdriver
  94. SSRF to ROOT Access
  95. SSRF reading local files from downnotifier server
  96. Facebook SSRF
  97. 31k$ SSRF in Google Cloud Monitoring led to metadata exposure
  98. How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
  99. My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft to Lyft
  100. SSRF in Exchange leads to ROOT access in all instances to Shopify

OS Command Injection

  1. Command Injection (via CVE-2019-11510 and CVE-2019-11539)
  2. RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)
  3. Remote Code Execution via Extract App Plugin
  4. OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
  5. https://hackerone.com/reports/212696

LFI/LFD - Path Traversal - RFI

Remote File Inclusion (RFI)

  1. Remote file Inclusion - RFI in upload

Path Traversal

  1. Path Traversal allowing to read any files on the server
  2. Directory traversal at https://nightly.ubnt.com
  3. Remote code execution via path traversal in Zip extraction in the Extract app
  4. Path traversal on ████████
  5. Critical Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/
  6. Path traversal leading to limited CSRF on GET requests on two endpoints

Local File Inclusion (LFI)

  1. [https://███] Local File Inclusion via graph.php
  2. Local File Inclusion In Registration Page
  3. Local File Include on marketing-dam.yahoo.com
  4. Local files reading from the web using brave://
  5. RFI LFI Writeup
  6. How we got LFI in apache drill recom like a boss
  7. Bugbounty journey from LFI to RCE
  8. From LFI to RCE via PHP sessions
  9. magix bugbounty magix.com XSS RCE SQLI and LFI
  10. Escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read
  11. Chain-the-bugs-to-pwn-an-organisation-lfi-unrestricted-file-upload-remote-code-execution
  12. Chain-of-hacks-leading-to-database-compromise
  13. The-journey-of-web-cache-firewall-bypass-to-ssrf-to-aws-credentials-compromise
  14. LFI-to-command-execution-deutche-telekom-bug-bounty
  15. Client-not-client
  16. Exploiting-ssrf-like-a-boss
  17. Bugbounty-journey-from-lfi-to-rce-how

File Upload

  1. Exploiting-file-uploads-pt-2
  2. External-xml-entity-via-file-upload-svg
  3. Arbitary-File-Upload-Too-Stored-XSS
  4. My-first-rce-stressed-employee-gets-me-2x-bounty
  5. Remote-image-upload-leads-to-rce-inject-malicious-code-to-php-gd-image
  6. Vimeo-upload-function-ssrf
  7. Manageengine-servicedesk-plus-arbitrary-file-upload
  8. From-file-upload-to-email-pass
  9. Uploading-backdoor-for-fun-and-profit-rce-db-cred-p1
  10. Simple-remote-code-execution-vulnerability-examples-for-beginners
  11. Unrestricted-file-upload-to-rce-bug-bounty-poc
  12. How-i-gain-unrestricted-file-upload-remote-code-execution-bug-bounty
  13. How-i-found-rce-but-got-duplicated
  14. Race-condition-that-could-result-to-rce-a-story-with-an-app-that-temporary-stored-an-uploaded
  15. Asus-rce-vulnerability-on-rma-asus-europe-eu
  16. Exploitation-of-the-cve-2018-15961-unrestricted-file-upload-in-adobe-coldfusion
  17. Unrestricted-file-upload-on-pdf
  18. Uploading files to api.techprep.fb.com
  19. How I got stored XSS using a file upload
  20. Chain the bugs to pwn an organization LFI unrestricted file upload to RCE
  21. File Upload blind SQLI
  22. Path traversal while uploading results in RCE
  23. RCE by uploading a web config
  24. How-i-hacked-facebook-and-received-a-3500-usd-facebook-bug-bounty
  25. Chaining-tricky-oauth-exploitation-to-stored-xss-b67eaea4aabd
  26. RTL override symbol not stripped from file names
  27. XSS by image file name
  28. Arbitrary file upload and stored XSS via ███ support request
  29. Unrestricted File Upload on https://app.dropcontact.io/app/upload/
  30. Unrestricted file upload leads to Stored XSS
  31. Unrestricted file upload on the image of contacts
  32. File Upload XSS in image uploading of App in mopub
Writeups, Web-Vulnerabilities-Writeups
Writeups XSS CSP SQLI Open-Redirect IDOR HPP Information-disclosure CORS SOP XXE DOS html-injection S3 clickjacking host-header-injection SSRF os-command-injection CSRF LFI LFD path-traversal RFI file-upload
This post is licensed under CC BY 4.0 by the author.

Contents

DOM Cross Site Scripting | DOM XSS

XSS prevention | CSP