Features Abuse

Methodology to test features and pages that are very common

Top Business Logic reports from HackerOne:

  1. Ethereum account balance manipulation to Coinbase - 251 upvotes, $10000

  2. Unserialize leading to arbitrary PHP function invoke to Rockstar Games - 113 upvotes, $5000

  3. SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850

  4. SSRF in the application's image export functionality to Visma Public - 42 upvotes, $250

  5. Self-XSS in password reset functionality to Shopify - 29 upvotes, $500

  6. Multiple File Manipulation bugs in WP Super Cache to Automattic - 15 upvotes, $150

  7. CSV-injection in export functionality to Passit - 12 upvotes, $0

  8. Logic issue in email change process to Legal Robot - 10 upvotes, $70

  9. No Rate limit on Password Reset Function to Infogram - 9 upvotes, $0

  10. Logic issue in email change process to Legal Robot - 8 upvotes, $60

  11. Change password logic inversion to Legal Robot - 8 upvotes, $20

  12. memory corruption in wordwrap function to Internet Bug Bounty - 7 upvotes, $500

  13. Reputation Manipulation (Theoretical) to HackerOne - 7 upvotes, $0

  14. Remote Code Execution in the Import Channel function to ExpressionEngine - 7 upvotes, $0

  15. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $60

  16. Issue with password reset functionality [Minor] to Paragon Initiative Enterprises - 5 upvotes, $0

  17. Locked_Transfer functional burning to Monero - 5 upvotes, $0

  18. HTTP Host injection in redirect_to function to Ruby on Rails - 5 upvotes, $0

  19. Invalid parameter in memcpy function trough openssl_pbkdf2 to Internet Bug Bounty - 4 upvotes, $500

Last updated