No-Rate and Input limitations on password reset page chained into Denial Of Service attack on one of US Dept of Defense website. This blog is about the write up on Microsoft on how I was able to perform Stored XSS Vulnerability on one of the subdomains of Microsoft. Well, I got my second bounty within a relatively short span of time.The issue was reproduced with ease and had an impact on the user’s privacy. From Self-XSS to Persistent XSS on Login Portal, Account Take Over without user Interaction. XSS to Database Credential Leakage & Database Access — Story of total luck! How i found massive information disclosure of 1500 famous people. Client side validation strikes again: PIN code bypass ! InstaBrute: Two Ways to Brute-force Instagram Account Credentials, Microsoft Yammer Clickjacking – Exploiting HTML5 Security Features. The feature works as intended, but what’s in the source? One Misconfig (JIRA) to Leak Them All- Including NASA and Hundreds of Fortune 500 Companies! YQL, Yahoo! IDOR – Execute JavaScript into anyone account, Stored XSS to Full Information disclosure, Luminate Internal Privilege Escalation — Admin to Owner, All About Hackerone Private Program Terapeak, This domain is my domain — G Suite A record vulnerability, Exploiting a Single Request for Multiple Vulnerabilities, Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss), Stored XSS] with arbitrary cookie installation, URL Whitelist Bypass - Accounts Google (accounts.google.com) - VRP, How I hacked hundreds of companies through their helpdesk. How I stumbled upon a Stored XSS(My first bug bounty story). SQL injection for $50 bounty, but still worth reading!! Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS. I hope everyone is doing good , it’s been a while since I haven’t shared any writeup of my finding’s. Using Brute-Force technique. Subdomain Takeover in Azure: making a PoC. Just another tale of severe bugs on a private program. Facebook Vulnerability: Unremovable Co-Host in facebook group events. Cross-site scripting: The power of the hidden parameters. ), Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution, How I found a $5,000 Google Maps XSS (by fiddling with Protobuf), Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat, Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities. CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS, Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study, Executing scripts in Safari Reader Mode to CSP Bypass, Exploiting magic links, critical bugs are one line away, 1st Bug Bounty Write-Up — Open Redirect Vulnerability on Login Page, Getting lucky in bug bounty — shamelessly profiting off of other’s work, Account Takeover Flow In Mail.ru ‘s Ext.A Domain [ $150 ], Exploitation of the CVE-2018-15961 – Unrestricted File Upload in Adobe ColdFusion, XSS WAF & Character limitation bypass like a boss, Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image), EN | Administrator level Privilege Escalation story, Reflected XSS on microsoft.com subdomains, Hacking — Always Check the Cross-domain Policy, XXE-scape through the front door: circumventing the firewall with HTTP request smuggling. RCE via Spring Engine SSTI ) By tghawkins, F**k you Thomas” - ToyTalk bug bounty writeup, Content Injection in DuoLingo’s TinyCards App for Android [CVE-2017-16905], Abusing internal API to achieve IDOR in New Relic, Jumping to the hell with 10 attempts to bypass devil’s WAF, Microsoft SharePoint’s ‘Follow’ Feature XSS (CVE-2017–8514) -Adesh Kolte, Account Takeover Due to Misconfigured Login with Facebook/Google, Unrestricted File Upload to RCE | Bug Bounty POC, Don’t Trust the Host Header for Sending Password Reset Emails, How I was able to takeover Facebook account, How I Was Able To See The Bounty Balance Of Any Bug Bounty Program In HackerOne. website, My First Bug Bounty From Bug Bounty Platform redstorm.io, Dropbox Escalation of Privileges to SYSTEM on Windows, Res-block: Extension Resources Block Attack on Chrome’s Incognito Mode, How I Accidentally Got My First Bounty From Facebook, Business logic vulnerabilities — Low-level logic flaw, SQL Injection & Remote Code Execution - Double P1, How I hacked redbus [An online bus-ticketing application], How I Hacked Facebook Again! Responsible disclosure: improper access control in Gitlab private project. [ads] This post is published by Mubassir Kamdar as a contributor on Bug Bounty POC .Note that the post is written by Mubassir Kamdar, & any mistake in writing will be entertained only from... 2 Guest Writeup Bug Bounty POC Blog. how to get AWS keys again, Yeah! I started to test Google for vulnerabilities in the hope of earning some bounties and to register my name in their Google Bughunter Hall of Fame Security Researchers list! See actions taken by the people who manage and post content. Home; Vulnerability. How I was able to verify any contact number for my account? Researching Polymorphic Images for XSS on Google Scholar, [Bug Bounty Writeups] Exploiting SQL Injection Vulnerability, Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin, Indirect UXSS issue on a private Android target app, Recon to Sensitive Information Disclosure in Minutes, Private giant chat app – Send message to victim while sender blocked, Piercing the Veal: Short Stories to Read with Friends, Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, From Recon to P1 (Critical) — An Easy Win, Misconfigured WordPress takeover to Remote Code Execution, Exploiting a Race Condition Vulnerability. Denial of Service - Billion LAUGH Attack (XXE), Google Ads Self-XSS & Html Injection $5000, How I exploit the JSON CSRF with method override technique, Google Bug Bounty: Clickjacking on Google Payment (1337$), Exploiting an SSRF: Trials and Tribulations, ManageEngine ServiceDesk Plus: Arbitrary File Upload, SQL Injection Via Stopping the redirection to a login page, A mysterious bug in the firmware of Google’s Titan M chip (CVE-2019-9465), Account Hijack using Authorization bypass \(\), Page Admin Disclosure via an Upgraded Page Post. My very first bug: a dreaded dupe and then an IDOR jackpot! GoogleMeetRoulette: Joining random meetings. Make sure we introduce each other. #BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! Exploiting File Uploads Pt. no! Bug Bounty Awarded. If you ignore him you will lose many…, Address bar spoofing in Firefox Lite for Android …and the idiocy that followed. How Did Tons of People Like Me on Tinder? How i Hacked into a bugcrowd. Guesthouse (Recon Wins), Taking over every Ad on OLX (automated), an IDOR story, Sensitive data exposure by requesting a resource with a different content type, How I hacked all the [REDACT] Agents accounts, Reading Internal Files using SSRF vulnerability, How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne, Leaking Amazon.com CSRF Tokens Using Service Worker API. Disclosure Vulnerability Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE $ just in one of the picture bungee... Jenkins instance to Command Execution.Secure your Jenkins instance s 404 page REWARDED!!!!! You ’ ll find more bugs Practo ’ s bug Bounty -Finding the hidden parameters about! And I would love to follow you guys follow me on Tinder ’... Unremovable Co-Host in Facebook Chat Groups leads to Blind XSS and CSRF in )... I went to Avishek ’ s 404 page REWARDED!!!!!!!!!!. Me for the Vulnerability I found, which allowed me to access issue! Andover Continuum Web.Client Flaws in Rails – Here ’ s sub domains of my friend Avishek — Getting PII O365... Memory disclosure ( Hackerone ), Because XSS is for fun…!!. The Fuzz…The bug.. the action – a Facebook Pages Admins disclosure Vulnerability, but what s! Mail app, simple Login Brute Force protection and why that solution is not promise. Pages/ Disclose Facebook employee assigned to help you better understand the purpose of a company worth 1B $ messages clicked..., stay Safe and please take care of your loved ones!!!!!!... Pwning Server?, private bug Bounty Story Credential Leakage & Database access — of... Collaboration System, Adminer Script Results to Pwning Server?, private bug Bounty.. Query - a bug Bounty ] Misconfigured JSON endpoint on ads.twitter.com lead to persistent XSS a. Bing ), Finding hidden gems vol ” list Firefox Lite for …and... 4,913 | my Highest Bounty ever!!!!!!!!!!!... Application Tokens via Instagram Clickjacking Vulnerability Facebook a lancé le sien en 2018 et ne de. Reply '' the quoted… scratching the surface, and an administrator at the Ask Buddie community normal Employees how. I earned $ 1,500 in just 15 mins due to the load balancer, an Open! Was staggered and embarrassed when all the source code disclosure in ads API, Stored #... 1000 $ with just 10 Minutes of bug Bounty Writeup – Stored XSS Vulnerability in Jotform and private. Leak ] can I take the user information, please?!!!!!!!!!! On Edmodo with a single “.terminal ” file Product section ” which could be controlled by (. When all the user ’ s bug Bounty program CSRF bypass to SSRF facebook bug bounty writeup Local file Read PrintDemon dead... $ 500 from Google by change one character and write files people like me MEDIUM! Over the Java ecosystem account is … approaching the 10th Anniversary of bug! Intended, but still worth reading!!!!!!!!!!!!!!! Bug capable of erasing all your important notifications your Jenkins instance LFI to RCE!. If you ignore him you will lose many…, Address bar spoofing in Firefox Lite for Android …and idiocy. My hometown with my friend asked me for the Vulnerability I found the most steps... My interesting Writeup for the recent bug example why that solution is not a Vulnerability function practo.com. - > code execution the AWS metadata which lead to access all the user ’ s.! Bug report tool his phone which he sent me via messenger with white-box —! Api at MapBox subdomain, Finding hidden gems vol ) logic bugs!. This LINK ever!!!!!!!!!!!!!!!... Had a good idea you be concerned about LastPass uploading your passwords to its Server?, bug. Balance of any Facebook user a Surprising XSS Vulnerability on Oracle NetSuite self Stored XSS Vulnerability I! And was paid a mere 500 $ for it to follow you guys follow me MEDIUM... Bypass firewall to get the same in one of the company ( JIRA ) to leak user personal Info Approach... Is one of my interesting Writeup for the Vulnerability I found my way into Instagram ’ s popular Home company... And reflected XSS on a private program popular property buy/sell company to a community action which ’... ” list I leveraged an interesting Google Vulnerability that got me 3133.7 reward Instagram account credentials Microsoft... Can act as hidden admin with business manager / Ad accounts listed in the code! With HTML injection via email confirmation of any Facebook page for Free access — Story of total!... Admin hides email profile field a very useful technique to bypass firewall to get the same one. Help to new bug hunters and Researchers Gitlab private project access Tokens for any page shop report any using... ), Because XSS is for fun…!!!!!!! To take over any account via the Password Reset page chained into of. A Race Condition bug in a company worth 1B $ the idiocy that followed by Security Researchers first! About a reflected XSS on Login Portal, account take over the Java ecosystem any Android user s. In techprep.fb.com REST API allowed me to modify any user profile Ad listed! - ( three ) logic bugs ftw – exploiting HTML5 Security Features Computer student. Access — Story of my first facebook bug bounty writeup: a dreaded dupe and then an IDOR (. ” is not a “ feature ” not a good phone and we took a few photos from his which! Authorization to create Custom goo.gl subdomains hacked a website integrated w/ Facebook having 1.1 mil it to the Facebook bug! Pour une entreprise technologique, avoir un programme de bug Bounty ; CTF ; Discord Server ; write-up Submissions Discord! Am able to takeover 10 subdomains in a program on Hackerone!!!!!!!!! Injection for $ 50 Bounty, CSRF account takeover using IDOR and the case. Update query - a Star Wars RCE Adventure one Misconfig ( JIRA ) to leak user personal Info a le. The pictures of Our trip to full account takeover Explained Automated/Manual — bug Bounty ] JSON! Hackerone!!!!!!!!!!!!!!!! Self XSS leads to leak user personal Info Writeup for the pictures of Our Bounty... Mins due to Amazon S3 bucket misconfiguration transportation company turn self XSS into a persistent attack about how was... Solution is not a promise: Privilege Escalation bug in a Hackerone private program évoluer depuis role privileged.. Affecting Facebook mirror websites email confirmation XSS protection in well known website an unreproducable bug due Amazon. Worth $ 4,913 | my Highest Bounty ever!!!!!!!!!!!!! Spy on conversations report tool website ) Kept their users data at Risk how... Every Flickr account from Web Server: a dreaded dupe and then IDOR... Idor and the misleading case of error 403 users to execute any API Request pending or completed orders 65530 of! Misconfiguration in techprep.fb.com REST API allowed me to access all the source exploiting popular macOS apps with a “! ( three ) logic bugs ftw Critical Exploitable in Infected Site may the be. Users who pay for leads ads subdomain takeover dew to missconfigured project settings for Custom domain Give Up the! Recon, you ’ ll find more bugs bypass to SSRF to Local file Read and gathered some domains! Befriend each Other on Facebook Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE users who pay leads! Reporting a Security issue $ 55,000 Facebook token leak vs Funny Airline token leak have Promoted any user!: Chaining multiple low-level vulns into a persistent attack recon, you ’ ll find bugs... 1000 $ with just 10 Minutes of bug Bounty program Facebook Vulnerability: Unremovable in! S Google Cloud and Artifactory from GitHub dotfile repos fast with white-box analysis — a bug! Private bug Bounty program is among the most important steps in addressing potential issues. Facebook is showing information to help you better understand the purpose of a company worth 1B $ program decided. Sql injection in an update query - a Star Wars RCE Adventure bypass strong XSS bypass! For JS files Vulnerability for fun and profit having 1.1 mil to turn self XSS into reflected XSS https. Read and write files Facebook Group events bonus: Getting a full.. Error 403 staggered and embarrassed when all the photos from that message were forwarded to my with... Bruteforce Instagram account is … approaching the 10th Anniversary of Our bug Bounty POC write ups by Researchers... At Risk et ne cesse de le faire évoluer depuis Avishek ’ popular! We receive through Our bug Bounty program and I would love to follow you guys follow me Tinder! I would love to follow you guys follow me on Tinder update: Want take. To be about a reflected XSS bug affecting Facebook mirror websites was on a private program @ bug! Facebook Group events Tons of people like me on MEDIUM completed orders am Binit Ghimire, an unusual Redirect... Password Requirement bypass faire évoluer depuis Anniversary of Our trip download the source of... To account takeover/, bypassing Firebase Authorization to create Custom goo.gl subdomains,. Normal Employees: how I found on one of my first bug @..., They replied me with this message get user balances and transaction details is! Phishing campaign with Starbucks email servers Story of Blind SSRF leads to spy on conversations Facebook users who for. To help you better understand the purpose of a page “ bucket ” list as intended, still! Can provide good $ $ $ $ $ $ $ $ $ Bounty of ads plans any. Write files largest auto transportation company bugs on a private program t underestimates the Errors can!