HackerOne Reports

__summary__ Hi OLX team, i found a web cache deception vulnerability in https://tradus.com. With this vulnerability an attacker can gain access to the name of the victim user, the user_id and other informations. __Attack scenario__ 1) an attacker send to the victim a link to the malicious page (like the …

***Summary*** Hi Team, An attacker can redirect vicitm on an external website using ``https://████/account/login`` endpoint because ``next`` parameter is not being validated properly. ***Affected URL*** `https://███/account/login/?next=///////////////////////////evil.com` ***Steps to Reproduce*** 1) Go https://████/account/login/?next=%2Fapp%2F . 2) Add this payload `////////////////////////////evil.com` to the `?next=` parameter . 3) Registeran account in the normal way …

#Steps to reproduce * Start broadcast * Attacker needs to craft special HTML page * Get broadcast's steam id(it contains in URL: `https://steamcommunity.com/broadcast/watch/{STEAM ID}/` * If attacker wants to unban somebody, he needs to create HTML page like this: ``` <iframe style="display:none" name="csrf-frame"></iframe> <form action="https://steamcommunity.com/broadcast/ajaxupdateusermute/" method="POST" target="csrf-frame" id="csrf-form"> <input type="hidden" …

I would like to report prototype pollution in merge. It allows an attacker to inject properties on Object.prototype. # Module **module name:** merge **version:** 1.2.0 **npm page:** `https://www.npmjs.com/package/merge` ## Module Description Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works …

Hi , i would like to report an issues that lead to SQL injection in search box at https://www.████/messagecenter/messagingcenter , if you add the character `'` that usually used to test if the site have in `sql injection ` the site will return with `Incorrect syntax` error that can confirm …

Hi, I made a talk earlier this month about Client-Side Race Conditions for postMessage on AppSecEU: https://speakerdeck.com/fransrosen/owasp-appseceu-2018-attacking-modern-web-technologies In this talk I mention some fun ways to race postMessages from a malicious origin before the legit source sends it. ### Background As you remember from #207042 you use Marketo for your …

I would like to report prototype pollution in extend It allows an attacker to inject properties on Object.prototype. # Module **module name:** extend **version:** 3.0.1 **npm page:** `https://www.npmjs.com/package/extend` ## Module Description `node-extend` is a port of the classic extend() method from jQuery. It behaves as you expect. It is simple, …

Bypassing the reports #61312 and #356765 **Tutorial:** **Go to api.slack.com and create an application with your own slash command.** {F320014} **Enter your own domain:** *in your own domain: index.php* `<?php header("location: http://[::]:22/"); ?> ` location: http://[::]:22/ {F320019} And save. Go to your Slack and type /youslash Try with my server …

hi , i think i find a SQL in https://██████████/ POST /requestaccount.php? HTTP/1.1 Host: █████ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://█████████/requestaccount.php? Content-Type: application/x-www-form-urlencoded Content-Length: 98 Cookie: _ga=GA1.2.797825707.1531527624; PHPSESSID=h46aobnksi6rqe0dki7b34thn10qqf7j; TS0136a92d=0141bba1871c30b60b2555c9145e093817841b5f20a39085c1ff77e556280571aa32dcc2ebf57d0d397334f8207e32f1153478dbc7; Hm_lvt_dde6ba2851f3db0ddc415ce0f895822e=1531606739; Hm_lpvt_dde6ba2851f3db0ddc415ce0f895822e=1531623251 Connection: close Upgrade-Insecure-Requests: 1 fname=&lname=&uname=&email=&phone=&dsn=&cmdName=&title=&rank=&rate=Not+specified&message=&curID=-1 SQL …

Hi, I found HTML Injection on imgur.com Description: I couldn't get xss but i was able to include videos on my profile and also i was able to redirect users to malicious websites POC (HTML injection): go to https://12test.imgur.com (you don't need to login) and you will see external videos …

By sending a request for a share without a README.md, the whole file path will be returned to the user: ``` PUT /apps/text/public/session/create?token=EHTs4P7kATowiMg HTTP/1.1 Host: cloud.nextcloud.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 93 …

Hi, I detected a Stored XSS in wis.pr. These are the steps to reproduce the bug: 1. Create a new group named: Test>"<script>alert('test');</script> 2. Copy the sharing URL (http://wis.pr/*****). 3. Open this URL in a browser. Please find the attached screenshots. Fix: Sanitize the output in twitter:description meta. Please find …

Hello, The mentioned module is vulnerable to SQL injection due to the fact that a query can be done in a GET request, with the query is Base64 encoded and supplied as the value of the parameter "thequery". This allows an attacker to perform arbitrary SQL queries if they trick …

Hello, When an administrator attempts to set an avatar from an external link, the parser just takes the source of whatever link they point it to and creates a file with the same extension and content in the uploads folder. ##Steps to reproduce: 1- Visit http://[HOST]/admin.php?/cp/members/profile/settings and scroll to the …

Dear James, I've found a reflected xss in nanostation Loco M2. just open this link and xss will execute. http://172.98.67.89:22057/survey.cgi?iface=%22%3E%3Cimg%20src=x%20onerror=prompt(document.cookie)%3E {F103333} Best Regard Shubham

There is a reflected XSS vulnerability in https://m.imgur.com as shown below: https://m.imgur.com/account/testcatplzignore%22%3E%3Cimg%20src=x%20onerror=prompt(document.domain)%3E/messages It appears that the username field in the url does not sanitize angle bracket characters on the mobile version of the site, allowing an attacker to execute arbitrary Javascript on the m.imgur.com domain. I have attached several screenshots …

Hi All, I believe I've found a vulnerability with regards to your user authentication and 2FA implementation but wasn't sure you'd be interested given the reference to "rate limiting" being out of scope so please bare with me. I also took a quick look at https://gitlab.com/gitlab-org/gitlab-ce/issues?utf8=%E2%9C%93&issue_search=two+factor and noticed there is …