| Skip to content | https://github.com/Squnity/bug-bounty-reference#start-of-content |
|
| https://github.com/ |
|
Sign in
| https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FSqunity%2Fbug-bounty-reference |
| GitHub CopilotWrite better code with AI | https://github.com/features/copilot |
| GitHub Copilot appDirect agents from issue to merge | https://github.com/features/ai/github-app |
| MCP RegistryNewIntegrate external tools | https://github.com/mcp |
| ActionsAutomate any workflow | https://github.com/features/actions |
| CodespacesInstant dev environments | https://github.com/features/codespaces |
| IssuesPlan and track work | https://github.com/features/issues |
| Code ReviewManage code changes | https://github.com/features/code-review |
| GitHub Advanced SecurityFind and fix vulnerabilities | https://github.com/security/advanced-security |
| Code securitySecure your code as you build | https://github.com/security/advanced-security/code-security |
| Secret protectionStop leaks before they start | https://github.com/security/advanced-security/secret-protection |
| Why GitHub | https://github.com/why-github |
| Documentation | https://docs.github.com |
| Blog | https://github.blog |
| Changelog | https://github.blog/changelog |
| Marketplace | https://github.com/marketplace |
| View all features | https://github.com/features |
| Enterprises | https://github.com/enterprise |
| Small and medium teams | https://github.com/team |
| Startups | https://github.com/enterprise/startups |
| Nonprofits | https://github.com/solutions/industry/nonprofits |
| App Modernization | https://github.com/solutions/use-case/app-modernization |
| DevSecOps | https://github.com/solutions/use-case/devsecops |
| DevOps | https://github.com/solutions/use-case/devops |
| CI/CD | https://github.com/solutions/use-case/ci-cd |
| View all use cases | https://github.com/solutions/use-case |
| Healthcare | https://github.com/solutions/industry/healthcare |
| Financial services | https://github.com/solutions/industry/financial-services |
| Manufacturing | https://github.com/solutions/industry/manufacturing |
| Government | https://github.com/solutions/industry/government |
| View all industries | https://github.com/solutions/industry |
| View all solutions | https://github.com/solutions |
| AI | https://github.com/resources/articles?topic=ai |
| Software Development | https://github.com/resources/articles?topic=software-development |
| DevOps | https://github.com/resources/articles?topic=devops |
| Security | https://github.com/resources/articles?topic=security |
| View all topics | https://github.com/resources/articles |
| Customer stories | https://github.com/customer-stories |
| Events & webinars | https://github.com/resources/events |
| Ebooks & reports | https://github.com/resources/whitepapers |
| Business insights | https://github.com/solutions/executive-insights |
| GitHub Skills | https://skills.github.com |
| Documentation | https://docs.github.com |
| Customer support | https://support.github.com |
| Community forum | https://github.com/orgs/community/discussions |
| Trust center | https://github.com/trust-center |
| Partners | https://github.com/partners |
| View all resources | https://github.com/resources |
| GitHub SponsorsFund open source developers | https://github.com/open-source/sponsors |
| Security Lab | https://securitylab.github.com |
| Maintainer Community | https://maintainers.github.com |
| Accelerator | https://github.com/open-source/accelerator |
| GitHub Stars | https://stars.github.com |
| Archive Program | https://archiveprogram.github.com |
| Topics | https://github.com/topics |
| Trending | https://github.com/trending |
| Collections | https://github.com/collections |
| Enterprise platformAI-powered developer platform | https://github.com/enterprise |
| GitHub Advanced SecurityEnterprise-grade security features | https://github.com/security/advanced-security |
| Copilot for BusinessEnterprise-grade AI features | https://github.com/features/copilot/copilot-business |
| Premium SupportEnterprise-grade 24/7 support | https://github.com/enterprise/premium-support |
| Pricing | https://github.com/pricing |
| Search syntax tips | https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax |
| documentation | https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax |
|
Sign in
| https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FSqunity%2Fbug-bounty-reference |
|
Sign up
| https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E&source=header-repo&source_repo=Squnity%2Fbug-bounty-reference |
| Reload | https://github.com/Squnity/bug-bounty-reference |
| Reload | https://github.com/Squnity/bug-bounty-reference |
| Reload | https://github.com/Squnity/bug-bounty-reference |
| Please reload this page | https://github.com/Squnity/bug-bounty-reference |
|
Squnity
| https://github.com/Squnity |
| bug-bounty-reference | https://github.com/Squnity/bug-bounty-reference |
| SecFathy/bug-bounty-reference | https://github.com/SecFathy/bug-bounty-reference |
|
Notifications
| https://github.com/login?return_to=%2FSqunity%2Fbug-bounty-reference |
|
Fork
0
| https://github.com/login?return_to=%2FSqunity%2Fbug-bounty-reference |
|
Star
1
| https://github.com/login?return_to=%2FSqunity%2Fbug-bounty-reference |
|
Code
| https://github.com/Squnity/bug-bounty-reference |
|
Pull requests
0
| https://github.com/Squnity/bug-bounty-reference/pulls |
|
Actions
| https://github.com/Squnity/bug-bounty-reference/actions |
|
Projects
| https://github.com/Squnity/bug-bounty-reference/projects |
|
Wiki
| https://github.com/Squnity/bug-bounty-reference/wiki |
|
Security and quality
0
| https://github.com/Squnity/bug-bounty-reference/security |
|
Insights
| https://github.com/Squnity/bug-bounty-reference/pulse |
|
Code
| https://github.com/Squnity/bug-bounty-reference |
|
Pull requests
| https://github.com/Squnity/bug-bounty-reference/pulls |
|
Actions
| https://github.com/Squnity/bug-bounty-reference/actions |
|
Projects
| https://github.com/Squnity/bug-bounty-reference/projects |
|
Wiki
| https://github.com/Squnity/bug-bounty-reference/wiki |
|
Security and quality
| https://github.com/Squnity/bug-bounty-reference/security |
|
Insights
| https://github.com/Squnity/bug-bounty-reference/pulse |
| https://github.com/Squnity/bug-bounty-reference |
| Branches | https://github.com/Squnity/bug-bounty-reference/branches |
| Tags | https://github.com/Squnity/bug-bounty-reference/tags |
| https://github.com/Squnity/bug-bounty-reference/branches |
| https://github.com/Squnity/bug-bounty-reference/tags |
| 158 Commits | https://github.com/Squnity/bug-bounty-reference/commits/master/ |
| https://github.com/Squnity/bug-bounty-reference/commits/master/ |
| README.md | https://github.com/Squnity/bug-bounty-reference/blob/master/README.md |
| README.md | https://github.com/Squnity/bug-bounty-reference/blob/master/README.md |
| README | https://github.com/Squnity/bug-bounty-reference |
| https://github.com/Squnity/bug-bounty-reference#bug-bounty-reference |
| https://github.com/djadmin/awesome-bug-bounty | https://github.com/djadmin/awesome-bug-bounty |
| https://github.com/Squnity/bug-bounty-reference#introduction |
| here | http://blog.innerht.ml/rpo-gadgets/ |
| here | https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/ |
| XSSI | https://github.com/Squnity/bug-bounty-reference#xssi |
| Cross-Site Scripting (XSS) | https://github.com/Squnity/bug-bounty-reference#cross-site-scripting-xss |
| Brute Force | https://github.com/Squnity/bug-bounty-reference#brute-force |
| SQL Injection (SQLi) | https://github.com/Squnity/bug-bounty-reference#sql-injection |
| External XML Entity Attack (XXE) | https://github.com/Squnity/bug-bounty-reference#xxe |
| Remote Code Execution (RCE) | https://github.com/Squnity/bug-bounty-reference#remote-code-execution |
| Deserialization | https://github.com/Squnity/bug-bounty-reference#deserialization |
| Image Tragick | https://github.com/Squnity/bug-bounty-reference#image-tragick |
| Cross-Site Request Forgery (CSRF) | https://github.com/Squnity/bug-bounty-reference#csrf |
| Insecure Direct Object Reference (IDOR) | https://github.com/Squnity/bug-bounty-reference#insecure-direct-object-reference-idor |
| Stealing Access Token | https://github.com/Squnity/bug-bounty-reference#stealing-access-token |
| Google Oauth Login Bypass | https://github.com/Squnity/bug-bounty-reference#google-oauth-bypass |
| Server Side Request Forgery (SSRF) | https://github.com/Squnity/bug-bounty-reference#server-side-request-forgery-ssrf |
| Unrestricted File Upload | https://github.com/Squnity/bug-bounty-reference#unrestricted-file-upload |
| Race Condition | https://github.com/Squnity/bug-bounty-reference#race-condition |
| Business Logic Flaw | https://github.com/Squnity/bug-bounty-reference#business-logic-flaw |
| Authentication Bypass | https://github.com/Squnity/bug-bounty-reference#authentication-bypass |
| HTTP Header Injection | https://github.com/Squnity/bug-bounty-reference#http-header-injection |
| Email Related | https://github.com/Squnity/bug-bounty-reference#email-related |
| Money Stealing | https://github.com/Squnity/bug-bounty-reference#money-stealing |
| Miscellaneous | https://github.com/Squnity/bug-bounty-reference#miscellaneous |
| https://github.com/Squnity/bug-bounty-reference#cross-site-scripting-xss |
| Sleeping stored Google XSS Awakens a $5000 Bounty | https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/ |
| RPO that lead to information leakage in Google | http://blog.innerht.ml/rpo-gadgets/ |
| God-like XSS, Log-in, Log-out, Log-in | https://whitton.io/articles/uber-turning-self-xss-into-good-xss/ |
| Three Stored XSS in Facebook | http://www.breaksec.com/?p=6129 |
| Using a Braun Shaver to Bypass XSS Audit and WAF | https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify |
| An XSS on Facebook via PNGs & Wonky Content Types | https://whitton.io/articles/xss-on-facebook-via-png-content-types/ |
| Stored XSS in *.ebay.com | https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/ |
| Complicated, Best Report of Google XSS | https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss |
| Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com | https://hackerone.com/reports/150179 |
| Command Injection in Google Console | http://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html |
| Facebook's Moves - OAuth XSS | http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html |
| Stored XSS in Google Docs (Bug Bounty) | http://hmgmakarovich.blogspot.hk/2015/11/stored-xss-in-google-docs-bug-bounty.html |
| Stored XSS on developer.uber.com via admin account compromise in Uber | https://hackerone.com/reports/152067 |
| Yahoo Mail stored XSS | https://klikki.fi/adv/yahoo.html |
| Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) | http://mksben.l0.cm/2016/07/xxn-caret.html |
| Youtube XSS | https://labs.detectify.com/2015/06/06/google-xss-turkey/ |
| Best Google XSS again | https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter |
| IE & Edge URL parsin Problem | https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/ |
| Google XSS subdomain Clickjacking | http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html |
| Microsoft XSS and Twitter XSS | http://blog.wesecureapp.com/xss-by-tossing-cookies/ |
| Google Japan Book XSS | http://nootropic.me/blog/en/blog/2016/09/20/%E3%82%84%E3%81%AF%E3%82%8A%E3%83%8D%E3%83%83%E3%83%88%E3%82%B5%E3%83%BC%E3%83%95%E3%82%A3%E3%83%B3%E3%82%92%E3%81%97%E3%81%A6%E3%81%84%E3%81%9F%E3%82%89%E3%81%9F%E3%81%BE%E3%81%9F%E3%81%BEgoogle/ |
| Flash XSS mega nz | https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/ |
| Flash XSS in multiple libraries | https://olivierbeg.com/finding-xss-vulnerabilities-in-flash-files/ |
| xss in google IE, Host Header Reflection | http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html |
| Years ago Google xss | http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf |
| xss in google by IE weird behavior | http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html |
| xss in Yahoo Fantasy Sport | http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/ |
| xss in Yahoo Mail Again, worth $10000 | https://klikki.fi/adv/yahoo2.html |
| Sleeping XSS in Google | https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/ |
| Decoding a .htpasswd to earn a payload of money | https://blog.it-securityguard.com/bugbounty-decoding-a-%F0%9F%98%B1-00000-htpasswd-bounty/ |
| Google Account Takeover | http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html#comment-form |
| AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2 | http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/ |
| Uber Self XSS to Global XSS | https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html |
| How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) | https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g |
| Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities | https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/ |
| XSSI, Client Side Brute Force | http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html |
| postMessage XSS Bypass | https://hackerone.com/reports/231053 |
| XSS in Uber via Cookie | http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/ |
| Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP | https://hackerone.com/reports/207042 |
| XSS due to improper regex in third party js Uber 7k XSS | http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/ |
| XSS in TinyMCE 2.4.0 | https://hackerone.com/reports/262230 |
| Pass uncoded URL in IE11 to cause XSS | https://hackerone.com/reports/150179 |
| Twitter XSS by stopping redirection and javascript scheme | http://blog.blackfan.ru/2017/09/devtwittercom-xss.html |
| Auth DOM Uber XSS | http://stamone-bug-bounty.blogspot.hk/2017/10/dom-xss-auth_14.html |
| https://github.com/Squnity/bug-bounty-reference#brute-force |
| Web Authentication Endpoint Credentials Brute-Force Vulnerability | https://hackerone.com/reports/127844 |
| InstaBrute: Two Ways to Brute-force Instagram Account Credentials | https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-instagram-account-credentials/ |
| How I Could Compromise 4% (Locked) Instagram Accounts | https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/ |
| Possibility to brute force invite codes in riders.uber.com | https://hackerone.com/reports/125505 |
| Brute-Forcing invite codes in partners.uber.com | https://hackerone.com/reports/144616 |
| How I could have hacked all Facebook accounts | http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html |
| Facebook Account Take Over by using SMS verification code, not accessible by now, may get update from author later | http://arunsureshkumar.me/index.php/2016/04/24/facebook-account-take-over/ |
| https://github.com/Squnity/bug-bounty-reference#sql-injection |
| SQL injection in Wordpress Plugin Huge IT Video Gallery in Uber | https://hackerone.com/reports/125932 |
| SQL Injection on sctrack.email.uber.com.cn | https://hackerone.com/reports/150156 |
| Yahoo – Root Access SQL Injection – tw.yahoo.com | http://buer.haus/2015/01/15/yahoo-root-access-sql-injection-tw-yahoo-com/ |
| Multiple vulnerabilities in a WordPress plugin at drive.uber.com | https://hackerone.com/reports/135288 |
| GitHub Enterprise SQL Injection | http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html |
| https://github.com/Squnity/bug-bounty-reference#stealing-access-token |
| Facebook Access Token Stolen | https://whitton.io/articles/stealing-facebook-access-tokens-with-a-double-submit/ |
| Obtaining Login Tokens for an Outlook, Office or Azure Account | https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/ |
| Bypassing Digits web authentication's host validation with HPP | https://hackerone.com/reports/114169 |
| Bypass of redirect_uri validation with /../ in GitHub | http://homakov.blogspot.hk/2014/02/how-i-hacked-github-again.html?m=1 |
| Bypassing callback_url validation on Digits | https://hackerone.com/reports/108113 |
| Stealing livechat token and using it to chat as the user - user information disclosure | https://hackerone.com/reports/151058 |
| Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) | https://hackerone.com/reports/143717 |
| Internet Explorer has a URL problem, on GitHub | http://blog.innerht.ml/internet-explorer-has-a-url-problem/ |
| How I made LastPass give me all your passwords | https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ |
| Steal Google Oauth in Microsoft | http://blog.intothesymmetry.com/2015/06/on-oauth-token-hijacks-for-fun-and.html |
| Steal FB Access Token | http://blog.intothesymmetry.com/2014/04/oauth-2-how-i-have-hacked-facebook.html |
| Paypal Access Token Leaked | http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html?m=1 |
| Steal FB Access Token | http://homakov.blogspot.sg/2013/02/hacking-facebook-with-oauth2-and-chrome.html |
| Appengine Cool Bug | https://proximasec.blogspot.hk/2017/02/a-tale-about-appengines-authentication.html |
| Slack post message real life experience | https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token/ |
| Bypass redirect_uri | http://nbsriharsha.blogspot.in/2016/04/oauth-20-redirection-bypass-cheat-sheet.html |
| Stealing Facebook Messenger nonce worth 15k | https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/ |
| https://github.com/Squnity/bug-bounty-reference#google-oauth-bypass |
| Bypassing Google Authentication on Periscope's Administration Panel | https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/ |
| https://github.com/Squnity/bug-bounty-reference#csrf |
| Messenger.com CSRF that show you the steps when you check for CSRF | https://whitton.io/articles/messenger-site-wide-csrf/ |
| Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) | https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/ |
| Hacking PayPal Accounts with one click (Patched) | http://yasserali.com/hacking-paypal-accounts-with-one-click/ |
| Add tweet to collection CSRF | https://hackerone.com/reports/100820 |
| Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun | http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/ |
| How i Hacked your Beats account ? Apple Bug Bounty | https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/ |
| https://github.com/Squnity/bug-bounty-reference#remote-code-execution |
| JDWP Remote Code Execution in PayPal | https://www.vulnerability-lab.com/get_content.php?id=1474 |
| XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers | http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution |
| How I Hacked Facebook, and Found Someone's Backdoor Script | http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/ |
| How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! | http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html |
| uber.com may RCE by Flask Jinja2 Template Injection | https://hackerone.com/reports/125980 |
| Yahoo Bug Bounty - *.login.yahoo.com Remote Code Execution | http://blog.orange.tw/2013/11/yahoo-bug-bounty-part-2-loginyahoocom.html |
| How we broke PHP, hacked Pornhub and earned $20,000 | https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/ |
| RCE deal to tricky file upload | https://www.secgeek.net/bookfresh-vulnerability/ |
| WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic | https://hackerone.com/reports/134738 |
| Read-Only user can execute arbitraty shell commands on AirOS | https://hackerone.com/reports/128750 |
| Remote Code Execution by impage upload! | https://hackerone.com/reports/158148 |
| Popping a shell on the Oculus developer portal | https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal |
| Crazy! PornHub RCE AGAIN!!! How I hacked Pornhub for fun and profit - 10,000$ | https://5haked.blogspot.sg/ |
| PayPal Node.js code injection (RCE) | http://artsploit.blogspot.hk/2016/08/pprce2.html |
| eBay PHP Parameter Injection lead to RCE | http://secalert.net/#ebay-rce-ccs |
| Yahoo Acqusition RCE | https://seanmelia.files.wordpress.com/2016/02/yahoo-remote-code-execution-cms1.pdf |
| Command Injection Vulnerability in Hostinger | http://elladodelnovato.blogspot.hk/2017/02/command-injection-vulnerability-in.html?spref=tw&m=1 |
| RCE in Airbnb by Ruby Injection | http://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/ |
| RCE in Imgur by Command Line | https://hackerone.com/reports/212696 |
| RCE in git.imgur.com by abusing out dated software | https://hackerone.com/reports/206227 |
| RCE in Disclosure | https://hackerone.com/reports/213558 |
| Remote Code Execution by struct2 Yahoo Server | https://medium.com/@th3g3nt3l/how-i-got-5500-from-yahoo-for-rce-92fffb7145e6 |
| Command Injection in Yahoo Acquisition | http://samcurry.net/how-i-couldve-taken-over-the-production-server-of-a-yahoo-acquisition-through-command-injection/ |
| Paypal RCE | http://blog.pentestbegins.com/2017/07/21/hacking-into-paypal-server-remote-code-execution-2017/ |
| $50k RCE in JetBrains IDE | http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/ |
| $20k RCE in Jenkin Instance | http://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/ |
| https://github.com/Squnity/bug-bounty-reference#deserialization |
| Java Deserialization in manager.paypal.com | http://artsploit.blogspot.hk/2016/01/paypal-rce.html |
| Instagram's Million Dollar Bug | http://www.exfiltrated.com/research-Instagram-RCE.php |
| (Ruby Cookie Deserialization RCE on facebooksearch.algolia.com | https://hackerone.com/reports/134321 |
| Java deserialization | https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/ |
| https://github.com/Squnity/bug-bounty-reference#image-tragick |
| Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition) | http://nahamsec.com/exploiting-imagemagick-on-yahoo/ |
| Exploting ImageMagick to get RCE on HackerOne | https://hackerone.com/reports/135072 |
| Trello bug bounty: Access server's files using ImageTragick | https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetragick/ |
| 40k fb rce | https://github.com/Squnity/bug-bounty-reference/blob/master/4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html |
| Yahoo Bleed 1 | https://scarybeastsecurity.blogspot.hk/2017/05/bleed-continues-18-byte-file-14k-bounty.html |
| Yahoo Bleed 2 | https://scarybeastsecurity.blogspot.hk/2017/05/bleed-more-powerful-dumping-yahoo.html |
| https://github.com/Squnity/bug-bounty-reference#insecure-direct-object-reference-idor |
| Trello bug bounty: The websocket receives data when a public company creates a team visible board | https://hethical.io/trello-bug-bounty-the-websocket-receives-data-when-a-public-company-creates-a-team-visible-board/ |
| Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility | https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-the-webhook-when-a-team-changes-its-visibility/ |
| Change any user's password in Uber | https://hackerone.com/reports/143717 |
| Vulnerability in Youtube allowed moving comments from any video to another | https://www.secgeek.net/youtube-vulnerability/ |
| Twitter Vulnerability Could
Credit Cards from Any Twitter Account | https://www.secgeek.net/twitter-vulnerability/ |
| One Vulnerability allowed deleting comments of any user in all Yahoo sites | https://www.secgeek.net/yahoo-comments-vulnerability/ |
| Microsoft-careers.com Remote Password Reset | http://yasserali.com/microsoft-careers-com-remote-password-reset/ |
| How I could change your eBay password | http://yasserali.com/how-i-could-change-your-ebay-password/ |
| Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication | https://duo.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication |
| Hacking Facebook.com/thanks Posting on behalf of your friends!
| http://www.anandpraka.sh/2014/11/hacking-facebookcomthanks-posting-on.html |
| How I got access to millions of [redacted] accounts | https://bitquark.co.uk/blog/2016/02/09/how_i_got_access_to_millions_of_redacted_accounts |
| All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description | https://hackerone.com/reports/137502 |
| Urgent: attacker can access every data source on Bime | https://hackerone.com/reports/149907 |
| Downloading password protected / restricted videos on Vimeo | https://hackerone.com/reports/145467 |
| Get organization info base on uuid in Uber | https://hackerone.com/reports/151465 |
| How I Exposed your Primary Facebook Email Address (Bug worth $4500) | http://roy-castillo.blogspot.hk/2013/07/how-i-exposed-your-primary-facebook.html |
| DOB disclosed using “Facebook Graph API Reverse Engineering” | https://medium.com/@rajsek/my-3rd-facebook-bounty-hat-trick-chennai-tcs-er-name-listed-in-facebook-hall-of-fame-47f57f2a4f71#.9gbtbv42q |
| Change the description of a video without publish_actions permission in Facebook | http://philippeharewood.com/change-the-description-of-a-video-without-publish_actions-permission/ |
| Response To Request Injection (RTRI) | https://www.bugbountyhq.com/front/latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZmUT09/ |
| Leak of all project names and all user names , even across applications on Harvest | https://hackerone.com/reports/152696 |
| Changing paymentProfileUuid when booking a trip allows free rides at Uber | https://hackerone.com/reports/162809 |
| View private tweet | https://hackerone.com/reports/174721 |
| Uber Enum UUID | http://www.rohk.xyz/uber-uuid/ |
| Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User | http://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-1-making-calls-on-behalf-of-any-user/ |
| Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions | http://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api-part-2-stealing-user-sessions/ |
| Delete FB Video | https://danmelamed.blogspot.hk/2017/01/facebook-vulnerability-delete-any-video.html |
| Delete FB Video | https://pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-from-facebook/ |
| Facebook Page Takeover by Manipulating the Parameter | http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/ |
| Viewing private Airbnb Messages | http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/ |
| IDOR tweet as any user | http://kedrisec.com/twitter-publish-by-any-user/ |
| Classic IDOR endpoints in Twitter | http://www.anandpraka.sh/2017/05/how-i-took-control-of-your-twitter.html |
| Mass Assignment, Response to Request Injection, Admin Escalation | https://seanmelia.wordpress.com/2017/06/01/privilege-escalation-in-a-django-application/ |
| https://github.com/Squnity/bug-bounty-reference#xxe |
| How we got read access on Google’s production servers | https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/ |
| Blind OOB XXE At UBER 26+ Domains Hacked | http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html |
| XXE through SAML | https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf |
| XXE in Uber to read local files | https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html |
| XXE by SVG in community.lithium.com | http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/ |
| https://github.com/Squnity/bug-bounty-reference#unrestricted-file-upload |
| File Upload XSS in image uploading of App in mopub | https://hackerone.com/reports/97672 |
| RCE deal to tricky file upload | https://www.secgeek.net/bookfresh-vulnerability/ |
| File Upload XSS in image uploading of App in mopub in Twitter | https://hackerone.com/reports/97672 |
| https://github.com/Squnity/bug-bounty-reference#server-side-request-forgery-ssrf |
| ESEA Server-Side Request Forgery and Querying AWS Meta Data | http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/ |
| SSRF to pivot internal network | https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf |
| SSRF to LFI | https://seanmelia.wordpress.com/2015/12/23/various-server-side-request-forgery-issues/ |
| SSRF to query google internal server | https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-dns-information/ |
| SSRF by using third party Open redirect | https://buer.haus/2017/03/09/airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat/ |
| SSRF tips from BugBountyHQ of Images | https://twitter.com/BugBountyHQ/status/868242771617792000 |
| SSRF to RCE | http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html |
| XXE at Twitter | https://hackerone.com/reports/248668 |
| Blog post: Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface | http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html |
| https://github.com/Squnity/bug-bounty-reference#race-condition |
| Race conditions on Facebook, DigitalOcean and others (fixed) | http://josipfranjkovic.blogspot.hk/2015/04/race-conditions-on-facebook.html |
| Race Conditions in Popular reports feature in HackerOne | https://hackerone.com/reports/146845 |
| https://github.com/Squnity/bug-bounty-reference#business-logic-flaw |
| Facebook simple technical hack to see the timeline | http://ashishpadelkar.com/index.php/2015/09/23/facebook-simple-technical-bug-worth-7500/ |
| How I Could Steal Money from Instagram, Google and Microsoft | https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/ |
| How I could have removed all your Facebook notes | http://www.anandpraka.sh/2015/12/summary-this-blog-post-is-about.html |
| Facebook - bypass ads account's roles vulnerability 2015 | http://blog.darabi.me/2015/03/facebook-bypass-ads-account-roles.html |
| Uber Ride for Free | http://www.anandpraka.sh/2017/03/how-anyone-could-have-used-uber-to-ride.html |
| Uber Eat for Free | https://t.co/MCOM7j2dWX |
| https://github.com/Squnity/bug-bounty-reference#authentication-bypass |
| OneLogin authentication bypass on WordPress sites via XMLRPC in Uber | https://hackerone.com/reports/138869 |
| 2FA PayPal Bypass | https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass |
| SAML Bug in Github worth 15000 | http://www.economyofmechanism.com/github-saml.html |
| Authentication bypass on Airbnb via OAuth tokens theft | https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/ |
| Uber Login CSRF + Open Redirect -> Account Takeover at Uber | http://ngailong.com/uber-login-csrf-open-redirect-account-takeover/ |
| http://c0rni3sm.blogspot.hk/2017/08/accidentally-typo-to-bypass.html?m=1](Administrative | http://c0rni3sm.blogspot.hk/2017/08/accidentally-typo-to-bypass.html?m=1](Administrative |
| Uber Bug Bounty: Gaining Access To An Internal Chat System | http://blog.mish.re/index.php/2017/09/06/uber-bug-bounty-gaining-access-to-an-internal-chat-system/ |
| Flickr Oauth Misconfiguration | https://mishresec.wordpress.com/2017/10/12/yahoo-bug-bounty-exploiting-oauth-misconfiguration-to-takeover-flickr-accounts/ |
| Slack SAML authentication bypass | http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html |
| https://github.com/Squnity/bug-bounty-reference#http-header-injection |
| Twitter Overflow Trilogy in Twitter | https://blog.innerht.ml/overflow-trilogy/ |
| Twitter CRLF | https://blog.innerht.ml/twitter-crlf-injection/ |
| Adblock Plus and (a little) more in Google | https://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google |
| $10k host header | https://sites.google.com/site/testsitehacking/10k-host-header |
| https://github.com/Squnity/bug-bounty-reference#subdomain-takeover |
| Hijacking tons of Instapage expired users Domains & Subdomains | http://www.geekboy.ninja/blog/hijacking-tons-of-instapage-expired-users-domains-subdomains/ |
| Reading Emails in Uber Subdomains | https://hackerone.com/reports/156536 |
| Slack Bug Journey | http://secalert.net/slack-security-bug-bounty.html |
| Subdomain takeover and chain it to perform authentication bypass | https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/ |
| https://github.com/Squnity/bug-bounty-reference#author-write-up |
| Payment Flaw in Yahoo | http://ngailong.com/abusing-multistage-logic-flaw-to-buy-anything-for-free-at-hk-deals-yahoo-com/ |
| Bypassing Google Email Domain Check to Deliver Spam Email on Google’s Behalf | http://ngailong.com/bypassing-google-email-domain-check-to-deliver-spam-email-on-googles-behalf/ |
| When Server Side Request Forgery combine with Cross Site Scripting | http://ngailong.com/what-could-happen-when-server-side-request-forgery-combine-with-cross-site-scripting/ |
| https://github.com/Squnity/bug-bounty-reference#xssi |
| Plain Text Reading by XSSI | http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ |
| JSON hijacking | http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html |
| OWASP XSSI | https://www.owasp.org/images/f/f3/Your_Script_in_My_Page_What_Could_Possibly_Go_Wrong_-_Sebastian_Lekies%2BBen_Stock.pdf |
| Japan Identifier based XSSI attacks | http://www.mbsd.jp/Whitepaper/xssi.pdf |
| JSON Hijack Slide | https://www.owasp.org/images/6/6a/OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf |
| https://github.com/Squnity/bug-bounty-reference#email-related |
| This domain is my domain - G Suite A record vulnerability | http://blog.pentestnepal.tech/post/156959105292/this-domain-is-my-domain-g-suite-a-record |
| I got emails - G Suite Vulnerability | http://blog.pentestnepal.tech/post/156707088037/i-got-emails-g-suite-vulnerability |
| How I snooped into your private Slack messages [Slack Bug bounty worth $2,500] | http://blog.pentestnepal.tech/post/150381068912/how-i-snooped-into-your-private-slack-messages |
| Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000] | http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty |
| Slack Yammer Takeover by using TicketTrick | https://medium.com/@intideceukelaire/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c |
| How I could have mass uploaded from every Flickr account! | https://ret2got.wordpress.com/2017/10/05/how-i-could-have-mass-uploaded-from-every-flickr-account/ |
| https://github.com/Squnity/bug-bounty-reference#money-stealing |
| Round error issue -> produce money for free in Bitcoin Site | https://hackerone.com/reports/176461 |
| https://github.com/Squnity/bug-bounty-reference#2017-local-file-inclusion |
| Disclosure Local File Inclusion by Symlink | https://hackerone.com/reports/213558 |
| Facebook Symlink Local File Inclusion | http://josipfranjkovic.blogspot.hk/2014/12/reading-local-files-from-facebooks.html |
| Gitlab Symlink Local File Inclusion | https://hackerone.com/reports/158330 |
| Gitlab Symlink Local File Inclusion Part II | https://hackerone.com/reports/178152 |
| Multiple Company LFI | http://panchocosil.blogspot.sg/2017/05/one-cloud-based-local-file-inclusion.html |
| LFI by video conversion, excited about this trick! | https://hackerone.com/reports/226756 |
| https://github.com/Squnity/bug-bounty-reference#miscellaneous |
| SAML Pen Test Good Paper | http://research.aurainfosec.io/bypassing-saml20-SSO/ |
| A list of FB writeup collected by phwd | https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640 |
| NoSQL Injection | http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html |
| CORS in action | http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/ |
| CORS in Fb messenger | http://www.cynet.com/blog-facebook-originull/ |
| Web App Methodologies | https://blog.zsec.uk/ltr101-method-to-madness/ |
| XXE Cheatsheet | https://www.silentrobots.com/blog/2015/12/14/xe-cheatsheet-update/ |
| The road to hell is paved with SAML Assertions, Microsoft Vulnerability | http://www.economyofmechanism.com/office365-authbypass.html#office365-authbypass |
| Study this if you like to learn Mongo SQL Injection | https://cirw.in/blog/hash-injection |
| Mongo DB Injection again | http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html |
| w3af speech about modern vulnerability | https://www.youtube.com/watch?v=GNU0_Uzyvl0 |
| Web cache attack that lead to account takeover | http://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html |
| A talk to teach you how to use SAML Raider | https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/somorovsky |
| XSS Checklist when you have no idea how to exploit the bug | http://d3adend.org/xss/ghettoBypass |
| CTF write up, Great for Bug Bounty | https://ctftime.org/writeups?tags=web200&hidden-tags=web%2cweb100%2cweb200 |
| It turns out every site uses jquery mobile with Open Redirect is vulnerable to XSS | http://sirdarckcat.blogspot.com/2017/02/unpatched-0day-jquery-mobile-xss.html |
| Bypass CSP by using google-analytics | https://hackerone.com/reports/199779 |
| Payment Issue with Paypal | https://hackerone.com/reports/219215 |
| Browser Exploitation in Chinese | http://paper.seebug.org/ |
| XSS bypass filter | https://t.co/0Kpzo52ycb |
| Markup Impropose Sanitization | https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md |
| Breaking XSS mitigations via Script Gadget | https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf |
| X41 Browser Security White Paper | https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf |
| Bug Bounty Cheatsheets | https://github.com/EdOverflow/bugbounty-cheatsheet |
| Messing with the Google Buganizer System for $15,600 in Bounties | https://medium.freecodecamp.org/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5 |
| https://github.com/djadmin/awesome-bug-bounty | https://github.com/djadmin/awesome-bug-bounty |
|
Readme
| https://github.com/Squnity/bug-bounty-reference#readme-ov-file |
| Please reload this page | https://github.com/Squnity/bug-bounty-reference |
|
Activity | https://github.com/Squnity/bug-bounty-reference/activity |
|
Custom properties | https://github.com/Squnity/bug-bounty-reference/custom-properties |
|
0
forks | https://github.com/Squnity/bug-bounty-reference/forks |
|
Report repository
| https://github.com/contact/report-content?content_url=https%3A%2F%2Fgithub.com%2FSqunity%2Fbug-bounty-reference&report=Squnity+%28user%29 |
| Releases | https://github.com/Squnity/bug-bounty-reference/releases |
| Packages
0 | https://github.com/orgs/Squnity/packages?repo_name=bug-bounty-reference |
| Please reload this page | https://github.com/Squnity/bug-bounty-reference |
| Contributors | https://github.com/Squnity/bug-bounty-reference/graphs/contributors |
| Please reload this page | https://github.com/Squnity/bug-bounty-reference |
|
| https://github.com |
| Terms | https://docs.github.com/site-policy/github-terms/github-terms-of-service |
| Privacy | https://docs.github.com/site-policy/privacy-policies/github-privacy-statement |
| Security | https://github.com/security |
| Status | https://www.githubstatus.com/ |
| Community | https://github.community/ |
| Docs | https://docs.github.com/ |
| Contact | https://support.github.com?tags=dotcom-footer |