# Features Abuse

## Top Business Logic reports from HackerOne:

1. [Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests](https://hackerone.com/reports/689314) to GitLab - 438 upvotes, $12000
2. [Account takeover through the combination of cookie manipulation and XSS](https://hackerone.com/reports/534450) to Grammarly - 253 upvotes, $2000
3. [Ethereum account balance manipulation](https://hackerone.com/reports/300748) to Coinbase - 251 upvotes, $10000
4. [SSRF leaking internal google cloud data through upload function \[SSH Keys, etc..\]](https://hackerone.com/reports/549882) to Vimeo - 248 upvotes, $5000
5. [Account Takeover via Email ID Change and Forgot Password Functionality](https://hackerone.com/reports/1089467) to New Relic - 210 upvotes, $2048
6. [Abusing "Report as abuse" functionality to delete any user's post.](https://hackerone.com/reports/411075) to Vanilla - 159 upvotes, $300
7. [OLO Total price manipulation using negative quantities](https://hackerone.com/reports/364843) to Upserve - 144 upvotes, $3500
8. [Unserialize leading to arbitrary PHP function invoke](https://hackerone.com/reports/210741) to Rockstar Games - 113 upvotes, $5000
9. [HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function](https://hackerone.com/reports/1478633) to Cloudflare Public Bug Bounty - 105 upvotes, $6000
10. [Null pointer dereference in SMTP server function smtp\_string\_parse](https://hackerone.com/reports/827729) to Open-Xchange - 105 upvotes, $1500
11. [XXE in Site Audit function exposing file and directory contents](https://hackerone.com/reports/312543) to Semrush - 99 upvotes, $2000
12. [Claiming the listing of a non-delivery restaurant through OTP manipulation](https://hackerone.com/reports/1330529) to Zomato - 85 upvotes, $3250
13. [Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)](https://hackerone.com/reports/637194) to Shopify - 73 upvotes, $500
14. [Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE](https://hackerone.com/reports/520717) to Lob - 68 upvotes, $1500
15. [Parameter Manipulation allowed for viewing of other user’s teavana.com orders](https://hackerone.com/reports/141090) to Starbucks - 66 upvotes, $6000
16. [Authorization Token on PlayStation Network Leaks via postMessage function](https://hackerone.com/reports/826394) to PlayStation - 64 upvotes, $1000
17. [Manipulating response leads to free access to Streamlabs Prime](https://hackerone.com/reports/1070510) to Logitech - 60 upvotes, $200
18. [\[api.tumblr.com\] Denial of Service by cookies manipulation](https://hackerone.com/reports/1005421) to Automattic - 51 upvotes, $200
19. [SSRF in VCARD photo upload functionality](https://hackerone.com/reports/296045) to Open-Xchange - 49 upvotes, $850
20. [Captcha bypass for the most important function - At en.instagram-brand.com](https://hackerone.com/reports/206653) to Automattic - 48 upvotes, $150
21. [\[intensedebate.com\] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled](https://hackerone.com/reports/1051734) to Automattic - 43 upvotes, $200
22. [SSRF in the application's image export functionality](https://hackerone.com/reports/816848) to Visma Public - 42 upvotes, $250
23. [Able to steal private files by manipulating response using Compose Email function of Lark](https://hackerone.com/reports/1373784) to Lark Technologies - 41 upvotes, $2000
24. [Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application](https://hackerone.com/reports/993722) to PlayStation - 39 upvotes, $1000
25. [Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions.](https://hackerone.com/reports/141120) to Starbucks - 33 upvotes, $4000
26. [Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce](https://hackerone.com/reports/404323) to WordPress - 33 upvotes, $900
27. [SSRF in Functional Administrative Support Tool pdf generator (████) \[HtUS\]](https://hackerone.com/reports/1628209) to U.S. Dept Of Defense - 32 upvotes, $4000
28. [Able to steal private files by manipulating response using Auto Reply function of Lark](https://hackerone.com/reports/1387320) to Lark Technologies - 31 upvotes, $2000
29. [Business Logic Flaw in the subscription of the app](https://hackerone.com/reports/1505189) to Kraden - 31 upvotes, $250
30. [Price manipulation via fraction values (Parameter Tampering)](https://hackerone.com/reports/388564) to Shipt - 31 upvotes, $100
31. [Privilege escalation allows to use iframe functionality w/o upgrade](https://hackerone.com/reports/594080) to Infogram - 31 upvotes, $0
32. [Week Passwords generated by password reset function](https://hackerone.com/reports/765031) to MTN Group - 30 upvotes, $0
33. [Self-XSS in password reset functionality](https://hackerone.com/reports/286667) to Shopify - 29 upvotes, $500
34. [Parameter tampering can result in product price manipulation](https://hackerone.com/reports/218748) to Adobe - 28 upvotes, $0
35. [Manipulation of exam results at Semrush.Academy](https://hackerone.com/reports/662583) to Semrush - 27 upvotes, $600
36. [RCE via Print function \[Simplenote 1.1.3 - Desktop app\]](https://hackerone.com/reports/358049) to Automattic - 26 upvotes, $250
37. [GoldSrc: Buffer Overflow in DELTA\_ParseDelta function leads to RCE](https://hackerone.com/reports/484745) to Valve - 25 upvotes, $3000
38. [Add more seats by paying less via PUT /v2/seats request manipulation](https://hackerone.com/reports/1446090) to Krisp - 23 upvotes, $500
39. [Business Logic Flaw - A non premium user can change/update retailers to get cashback on all the retailers associated with Curve](https://hackerone.com/reports/672487) to Curve - 19 upvotes, $1000
40. [Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report](https://hackerone.com/reports/442843) to HackerOne - 19 upvotes, $500
41. [IDOR in report download functionality on ads.tiktok.com](https://hackerone.com/reports/1559739) to TikTok - 16 upvotes, $500
42. [Multiple File Manipulation bugs in WP Super Cache](https://hackerone.com/reports/240886) to Automattic - 15 upvotes, $150
43. [Response Manipulation leads to Admin Panel Login Bypass at](https://hackerone.com/reports/1508661) [https://██████/](https://xn--4zhaaaaa/) to Sony - 15 upvotes, $0
44. [XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window](https://hackerone.com/reports/351376) to [Reverb.com](http://reverb.com/) - 14 upvotes, $150
45. [Spoof Email with Hyperlink Injection via Invites functionality](https://hackerone.com/reports/182008) to Pushwoosh - 14 upvotes, $0
46. [Remote Code Execution through Extension Bypass on Log Functionality](https://hackerone.com/reports/841947) to Concrete CMS - 14 upvotes, $0
47. [Privilege escalation in the client impersonation functionality](https://hackerone.com/reports/221454) to Ubiquiti Inc. - 12 upvotes, $1500
48. [CSV-injection in export functionality](https://hackerone.com/reports/335447) to Passit - 12 upvotes, $0
49. [Unauthenticated reflected XSS in preview\_as\_user function](https://hackerone.com/reports/643442) to Concrete CMS - 12 upvotes, $0
50. [Stored self XSS at auto.mail.ru using add\_review functionality](https://hackerone.com/reports/914286) to [Mail.ru](http://mail.ru/) - 11 upvotes, $0
51. [\[CVE-2020-27194\] Linux kernel: eBPF verifier bug in](https://hackerone.com/reports/1010340) [`or`](https://hackerone.com/reports/1010340) [binary operation tracking function leads to LPE](https://hackerone.com/reports/1010340) to Internet Bug Bounty - 10 upvotes, $750
52. [Logic issue in email change process](https://hackerone.com/reports/265931) to Legal Robot - 10 upvotes, $70
53. [\[kb.informatica.com\] DOM based XSS in the bindBreadCrumb function](https://hackerone.com/reports/189834) to Informatica - 10 upvotes, $0
54. [Time-of-check to time-of-use vulnerability in the std::fs::remove\_dir\_all() function of the Rust standard library](https://hackerone.com/reports/1520931) to Internet Bug Bounty - 9 upvotes, $4000
55. [No Rate limit on Password Reset Function](https://hackerone.com/reports/280389) to Infogram - 9 upvotes, $0
56. [Business Logic, currency arbitrage - Possibility to pay less than the price in USD](https://hackerone.com/reports/1677155) to PortSwigger Web Security - 9 upvotes, $0
57. [Improperly implemented password recovery link functionality](https://hackerone.com/reports/809) to Phabricator - 8 upvotes, $300
58. [Allow authenticated users can edit, trash,and add new in BuddyPress Emails function](https://hackerone.com/reports/833782) to WordPress - 8 upvotes, $225
59. [Logic issue in email change process](https://hackerone.com/reports/266017) to Legal Robot - 8 upvotes, $60
60. [CSRF in the "Add restaurant picture" function](https://hackerone.com/reports/169699) to Zomato - 8 upvotes, $50
61. [Change password logic inversion](https://hackerone.com/reports/255679) to Legal Robot - 8 upvotes, $20
62. [Impersonation of Wakatime user using Invitation functionality.](https://hackerone.com/reports/257119) to WakaTime - 8 upvotes, $0
63. [Server Side Request Forgery In Video to GIF Functionality](https://hackerone.com/reports/91816) to Imgur - 7 upvotes, $1600
64. [memory corruption in wordwrap function](https://hackerone.com/reports/167910) to Internet Bug Bounty - 7 upvotes, $500
65. [Logic flaw enables restricted account to access account license key](https://hackerone.com/reports/200576) to New Relic - 7 upvotes, $500
66. [unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php](https://hackerone.com/reports/185907) to Ian Dunn - 7 upvotes, $25
67. [Reputation Manipulation (Theoretical)](https://hackerone.com/reports/132057) to HackerOne - 7 upvotes, $0
68. [Business logic Failure - Browser cache management and logout vulnerability in Certly](https://hackerone.com/reports/158270) to Certly - 7 upvotes, $0
69. [Firefly's verify\_access\_token() function does a byte-by-byte comparison of HMAC values.](https://hackerone.com/reports/240958) to Yelp - 7 upvotes, $0
70. [Missing Password Confirmation at a Critical Function (Payout Method)](https://hackerone.com/reports/303299) to HackerOne - 7 upvotes, $0
71. [Remote Code Execution in the Import Channel function](https://hackerone.com/reports/236607) to ExpressionEngine - 7 upvotes, $0
72. [Deleted Post and Administrative Function Access in eCommerce Forum](https://hackerone.com/reports/167846) to Shopify - 6 upvotes, $500
73. [CSV export/import functionality allows administrators to modify member and message content of a workspace](https://hackerone.com/reports/1661310) to Slack - 6 upvotes, $250
74. [Application XSS filter function Bypass may allow Multiple stored XSS](https://hackerone.com/reports/44217) to Vimeo - 6 upvotes, $100
75. [Non-functional 2FA recovery codes](https://hackerone.com/reports/249337) to Legal Robot - 6 upvotes, $60
76. [Incorrect Functionality of Password reset links](https://hackerone.com/reports/280529) to Infogram - 6 upvotes, $0
77. [Business Logic Flaw allowing Privilege Escalation](https://hackerone.com/reports/280914) to Inflection - 6 upvotes, $0
78. [Parameter tampering : Price Manipulation of Products](https://hackerone.com/reports/682344) to WordPress - 6 upvotes, $0
79. [Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input](https://hackerone.com/reports/670779) to Node.js third-party modules - 6 upvotes, $0
80. [Owner can change themself for another Role Mode but application doesnot have this function.](https://hackerone.com/reports/1072635) to Doppler - 6 upvotes, $0
81. [ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type](https://hackerone.com/reports/1241578) to GitHub Security Lab - 5 upvotes, $1800
82. [Logic Issue with Reputation: Boost Reputation Points](https://hackerone.com/reports/36211) to HackerOne - 5 upvotes, $500
83. [The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack](https://hackerone.com/reports/129002) to LocalTapiola - 5 upvotes, $300
84. [Deleted name still present via mouseover functionality for user accounts](https://hackerone.com/reports/127914) to HackerOne - 5 upvotes, $0
85. [Issue with password reset functionality \[Minor\]](https://hackerone.com/reports/149027) to Paragon Initiative Enterprises - 5 upvotes, $0
86. [Weak e-mail change functionality could lead to account takeover](https://hackerone.com/reports/223461) to Weblate - 5 upvotes, $0
87. [Amount Manipulation Buy Unlimited Credits in just $1.00](https://hackerone.com/reports/277377) to Inflection - 5 upvotes, $0
88. [Locked\_Transfer functional burning](https://hackerone.com/reports/417515) to Monero - 5 upvotes, $0
89. [Rate limit function bypass can leads to occur huge critical problem into website.](https://hackerone.com/reports/1067533) to Courier - 5 upvotes, $0
90. [HTTP Host injection in redirect\_to function](https://hackerone.com/reports/888176) to Ruby on Rails - 5 upvotes, $0
91. [2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com](https://hackerone.com/reports/1581454) to Exodus - 5 upvotes, $0
92. [Manipulation of submit payment request allows me to obtain Infrastructure Pro/Other Services for free or at greatly reduced price](https://hackerone.com/reports/219356) to New Relic - 4 upvotes, $600
93. [Invalid parameter in memcpy function trough openssl\_pbkdf2](https://hackerone.com/reports/190933) to Internet Bug Bounty - 4 upvotes, $500
94. [Business logic Failure - Browser cache management and logout vulnerability.](https://hackerone.com/reports/7909) to Localize - 4 upvotes, $0
95. [Spamming any user from Reset Password Function](https://hackerone.com/reports/223525) to Weblate - 4 upvotes, $0
96. [New team invitation functionality allows extend team without upgrade](https://hackerone.com/reports/295900) to Infogram - 4 upvotes, $0