HackerOne Reports

## Summary: hello security team i have found paypal cleient_id And stripe api key and sentry dsn are indexed in web archive ## Steps To Reproduce: go to https://web.archive.org/cdx/search/cdx?url=subscriptions.firefox.com/*&collapse=urlkey&output=text&fl=original search for cliebtId you will find this ``` https://subscriptions.firefox.com/%7B%22env%22%3A%22production%22%2C%22googleAnalytics%22%3A%7B%22enabled%22%3Atrue%2C%22measurementId%22%3A%22G-9N75BKQ2SE%22%2C%22supportedProductIds%22%3A%22prod_MIex7Q079igFZJ%2Cprod_KGizMiBqUJdYoY%2Cprod_FvnsFHIfezy3ZI%2Cprod_LKvr8fYGbBxcaZ%2Cprod_OiV9RSaatywSRy%22%2C%22debugMode%22%3Afalse%7D%2C%22legalDocLinks%22%3A%7B%22privacyNotice%22%3A%22https%3A%2F%2Fwww.mozilla.org%2Fprivacy%2Ffirefox-private-network%22%2C%22termsOfService%22%3A%22https%3A%2F%2Fwww.mozilla.org%2Fabout%2Flegal%2Fterms%2Ffirefox-private-network%22%7D%2C%22productRedirectURLs%22%3A%7B%22prod_FvnsFHIfezy3ZI%22%3A%22https%3A%2F%2Fwww.mozilla.org%2Fproducts%2Fvpn%2Fdownload%2F%22%7D%2C%22sentry%22%3A%7B%22dsn%22%3A%22https%3A%2F%2Fbd67bbdfad9b46a7a2f0faf4aa02c122%40o1069899.ingest.sentry.io%2F6231072%22%2C%22env%22%3A%22prod%22%2C%22sampleRate%22%3A1%2C%22serverName%22%3A%22fxa-payments-broker%22%2C%22clientName%22%3A%22fxa-payments-client%22%7D%2C%22servers%22%3A%7B%22auth%22%3A%7B%22url%22%3A%22https%3A%2F%2Fapi.accounts.firefox.com%22%7D%2C%22content%22%3A%7B%22url%22%3A%22https%3A%2F%2Faccounts.firefox.com%22%7D%2C%22oauth%22%3A%7B%22url%22%3A%22https%3A%2F%2Foauth.accounts.firefox.com%22%2C%22clientId%22%3A%2259cceb6f8c32317c%22%7D%2C%22profile%22%3A%7B%22url%22%3A%22https%3A%2F%2Fprofile.accounts.firefox.com%22%7D%7D%2C%22paypal%22%3A%7B%22apiUrl%22%3A%22https%3A%2F%2Fwww.paypal.com%22%2C%22clientId%22%3A%22Adb5V3A0jC394H-2nZL9JRBzcre0bNjxm_tqzezZDTTSheL4ANKqvG79uyDw1lwtxuXbDPK7Kdp6pMbr%22%2C%22scriptUrl%22%3A%22https%3A%2F%2Fwww.paypal.com%22%7D%2C%22stripe%22%3A%7B%22apiKey%22%3A%22pk_live_HgtiWdwlc5Uq8ZRsPAXIAyRY00CA51o613%22%7D%2C%22version%22%3A%221.275.3%22%7D ``` i decoded it and then used https://beautifier.io/ to make it look …

Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions …

## Summary Reflected XSS on `█████`. ## Description The page `█████` has a reflected parameter `██████████`. The parameter is used in a javascript function. For example for requesting `http://█████████/?█████████=chron0x` the javascript is as follows: ```javascript [...] <script> //alert('boo'); function clickit(){ var █████████ = 'chron0x'; if (██████████!==''){ //alert(████████); $('#'+████████).click(); //alert(████); } …

## CTF Summary This was my first H1 CTF and I was excited to work with several others to collaborate on the CTF and find the flag. I'll write up the solution process and vulnerabilities involved in the solution: * Knowledge (basic) of S3 operations * XML External Entities and …

##Steps: 1. Visit the link https://www.██████/██████████and enter the valid ████████. 2. You will be redirect to the page where it will ask you to fill your ████████ and ████████ that you get in your mail. 3. Enter the wrong ███ and intercept the request. 4. Then bruteforce the ███.(You can …

The input to the "█████" BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element. Quotes (") are removed, so there's no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span …

##Background## The Air Force’s ███ application is exposing members’ personal information to other users with access to the applocaton. We’ve identified two specific issues, but there may be other similar problems in the same vein as the ones described here. The underlying problem appears to be that users are not …

Hi, when I was submitted a report to a program that request `2FA` ON, I notice that if you try to disable this option will ask for `backup code - password` and if you enter a random password in the request filed and a correct `backup code` it will be …

## Summary: When using the `--referer ';auto'` feature the current URL is copied as-is to the referrer header of the subsequent request. The recommendation [1] is to strip these (along with the URL fragment). I can imagine this may, in rare cases, result in unwanted/unexpected disclosure of credentials (e.g. them …

https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permission-model-bypass-by-specifying-a-path-traversal-sequence-in-a-buffer-highcve-2023-32004 https://hackerone.com/reports/2038134 Also, patch was provided in the report and matched https://github.com/nodejs/node/commit/1f64147eb607f82060e08884f993597774c69280 (excluding tests). ## Impact see reports.

https://hackerone.com/reports/2037887 https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003 Patch was provided. ## Impact See reports