Top Paid Reports
Bug Bounty Reference
A list of bug bounty write-up that is categorized by the bug nature, this is inspired by https://github.com/djadmin/awesome-bug-bounty
Introduction
I have been reading for Bug Bounty write-ups for a few months, I found it extremely useful to read relevant write-up when I found a certain type of vulnerability that I have no idea how to exploit. Let say you found a RPO (Relativce Path Overwrite) in a website, but you have no idea how should you exploit that, then the perfect place to go would be here. Or you have found your customer is using oauth mechanism but you have no idea how should we test it, the other perfect place to go would be here
My intention is to make a full and complete list of common vulnerability that are publicly disclosed bug bounty write-up, and let Bug Bounty Hunter to use this page as a reference when they want to gain some insight for a particular kind of vulnerability during Bug Hunting, feel free to submit pull request. Okay, enough for chit-chatting, let's get started.
XSSI
Cross-Site Scripting (XSS)
Brute Force
SQL Injection (SQLi)
External XML Entity Attack (XXE)
Remote Code Execution (RCE)
Deserialization
Image Tragick
Cross-Site Request Forgery (CSRF)
Insecure Direct Object Reference (IDOR)
Stealing Access Token
Google Oauth Login Bypass
Server Side Request Forgery (SSRF)
Unrestricted File Upload
Race Condition
Business Logic Flaw
Authentication Bypass
HTTP Header Injection
Email Related
Money Stealing
Miscellaneous
Cross-Site Scripting (XSS)
Sleeping stored Google XSS Awakens a $5000 Bounty by Patrik Fehrenbach
RPO that lead to information leakage in Google by filedescriptor
God-like XSS, Log-in, Log-out, Log-in in Uber by Jack Whitton
An XSS on Facebook via PNGs & Wonky Content Types by Jack Whitton
he is able to make stored XSS from a irrelevant domain to main facebook domain
Stored XSS in *.ebay.com by Jack Whitton
Complicated, Best Report of Google XSS by Ramzes
Command Injection in Google Console by Venkat S
Facebook's Moves - OAuth XSS by PAULOS YIBELO
Stored XSS in Google Docs (Bug Bounty) by Harry M Gertos
Stored XSS on developer.uber.com via admin account compromise in Uber by James Kettle (albinowax)
Yahoo Mail stored XSS by Klikki Oy
Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) by Masato Kinugawa
Youtube XSS by fransrosen
Best Google XSS again - by Krzysztof Kotowicz
IE & Edge URL parsin Problem - by detectify
Flash XSS mega nz - by frans
xss in Yahoo Mail Again, worth $10000 by Klikki Oy
Sleeping XSS in Google by securityguard
Decoding a .htpasswd to earn a payload of money by securityguard
How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin MoulinierFollow
XSS in Uber via Cookie by zhchbin
XSS in TinyMCE 2.4.0 by Jelmer de Hen
Twitter XSS by stopping redirection and javascript scheme by Sergey Bobrov
Brute Force
How I Could Compromise 4% (Locked) Instagram Accounts by Arne Swinnen
Brute-Forcing invite codes in partners.uber.com by Efkan Gökbaş (mefkan)
SQL Injection
SQL Injection on sctrack.email.uber.com.cn by Orange Tsai
Yahoo – Root Access SQL Injection – tw.yahoo.com by Brett Buerhaus
Multiple vulnerabilities in a WordPress plugin at drive.uber.com by Abood Nour (syndr0me)
GitHub Enterprise SQL Injection by Orange
Yahoo SQL Injection to Remote Code Exection to Root Privilege by Ebrahim Hegazy
Stealing Access Token
Facebook Access Token Stolen by Jack Whitton -
Obtaining Login Tokens for an Outlook, Office or Azure Account by Jack Whitton
Bypassing Digits web authentication's host validation with HPP by filedescriptor
Bypass of redirect_uri validation with /../ in GitHub by Egor Homakov
Bypassing callback_url validation on Digits by filedescriptor
Stealing livechat token and using it to chat as the user - user information disclosure by Mahmoud G. (zombiehelp54)
Internet Explorer has a URL problem, on GitHub by filedescriptor.
How I made LastPass give me all your passwords by labsdetectify
Bypass redirect_uri by nbsriharsha
Google oauth bypass
CSRF
Hacking PayPal Accounts with one click (Patched) by Yasser Ali
Add tweet to collection CSRF by vijay kumar
How i Hacked your Beats account ? Apple Bug Bounty by @aaditya_purani
FORM POST JSON: JSON CSRF on POST Heartbeats API by Dr.Jones
Remote Code Execution
JDWP Remote Code Execution in PayPal by Milan A Solanki
How I Hacked Facebook, and Found Someone's Backdoor Script by Orange Tsai
uber.com may RCE by Flask Jinja2 Template Injection by Orange Tsai
Yahoo Bug Bounty - *.login.yahoo.com Remote Code Execution by Orange Tsai (Sorry its in Chinese Only)
How we broke PHP, hacked Pornhub and earned $20,000 by Ruslan Habalov
Alert, God-like Write-up, make sure you know what is ROP before clicking, which I don't =(
RCE deal to tricky file upload by secgeek
WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic by Cure53 (cure53)
Read-Only user can execute arbitraty shell commands on AirOS by 93c08539 (93c08539)
Remote Code Execution by impage upload! by Raz0r (ru_raz0r)
Popping a shell on the Oculus developer portal by Bitquark
PayPal Node.js code injection (RCE) by Michael Stepankin
Command Injection Vulnerability in Hostinger by @alberto__segura
RCE in Airbnb by Ruby Injection by buerRCE
RCE in git.imgur.com by abusing out dated software by Orange Tsai
Telekom.de Remote Command Execution! by Ebrahim Hegazy
Magento Remote Code Execution Vulnerability! by Ebrahim Hegazy
Yahoo! Remote Command Execution Vulnerability by Ebrahim Hegazy
Deserialization
Java Deserialization in manager.paypal.com by Michael Stepankin
Instagram's Million Dollar Bug by Wesley Wineberg
(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com by Michiel Prins (michiel)
Java deserialization by meals
Image Tragick
Exploting ImageMagick to get RCE on HackerOne by c666a323be94d57
Trello bug bounty: Access server's files using ImageTragick by Florian Courtial
40k fb rce
Direct Object Reference (IDOR)
Change any user's password in Uber by mongo
Vulnerability in Youtube allowed moving comments from any video to another by secgeek
It's Google Vulnerability, so it's worth reading, as generally it is more difficult to find Google vulnerability
Microsoft-careers.com Remote Password Reset by Yaaser Ali
How I could change your eBay password by Yaaser Ali
All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description by Enguerran Gillier (opnsec)
Urgent: attacker can access every data source on Bime by Jobert Abma (jobert)
Downloading password protected / restricted videos on Vimeo by Gazza (gazza)
Get organization info base on uuid in Uber by Severus (severus)
DOB disclosed using “Facebook Graph API Reverse Engineering” by Raja Sekar Durairaj
Response To Request Injection (RTRI) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author!
Leak of all project names and all user names , even across applications on Harvest by Edgar Boda-Majer (eboda)
Changing paymentProfileUuid when booking a trip allows free rides at Uber by Matthew Temmy (temmyscript)
Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any Userby Stephen SclafaniHacking Facebook’s Legacy API, Part 2: Stealing User Sessionsby Stephen SclafaniIDOR tweet as any user by kedrisec
XXE
Blind OOB XXE At UBER 26+ Domains Hacked by Raghav Bisht
Unrestricted File Upload
File Upload XSS in image uploading of App in mopub by vijay kumar
RCE deal to tricky file upload by secgeek
File Upload XSS in image uploading of App in mopub in Twitter by vijay kumar (vijay_kumar1110)
Server Side Request Forgery (SSRF)
ESEA Server-Side Request Forgery and Querying AWS Meta Data by Brett Buerhaus
SSRF by using third party Open redirect by Brett BUERHAUS
Race Condition
Race conditions on Facebook, DigitalOcean and others (fixed) by Josip Franjković
Race Conditions in Popular reports feature in HackerOne by Fábio Pires (shmoo)
Hacking Starbuck for unlimited money by Egor Homakov
Business Logic Flaw
How I Could Steal Money from Instagram, Google and Microsoft by Arne Swinnen
Facebook - bypass ads account's roles vulnerability 2015 by POUYA DARABI
Authentication Bypass
OneLogin authentication bypass on WordPress sites via XMLRPC in Uber by Jouko Pynnönen (jouko)
2FA PayPal Bypass by henryhoggard
Administrative Panel Access by c0rni3sm
Flickr Oauth Misconfiguration by mishre
Slack SAML authentication bypass by Antonio Sanso
HTTP Header Injection
Twitter Overflow Trilogy in Twitter by filedescriptor
Twitter CRLF by filedescriptor
$10k host header by Ezequiel Pereira
Subdomain Takeover
Slack Bug Journey - by David Vieira-Kurz
Subdomain takeover and chain it to perform authentication bypass by Arne Swinnen
Hacker.One Subdomain Takeover - by geekboy
XSSI
Email Related
Slack Yammer Takeover by using TicketTrick by Inti De Ceukelaire
Money Stealing
2017 Local File Inclusion
Miscellaneous
NoSQL Injection by websecurify
Mongo DB Injection again by websecrify
Bug Bounty Cheatsheets By EdOverflow
Last updated