Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Web-AppSec

Features Abuse

Methodology to test features and pages that are very common

Top Business Logic reports from HackerOne:

  1. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 438 upvotes, $12000

  2. Account takeover through the combination of cookie manipulation and XSS to Grammarly - 253 upvotes, $2000

  3. Ethereum account balance manipulation to Coinbase - 251 upvotes, $10000

  4. SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 248 upvotes, $5000

  5. Account Takeover via Email ID Change and Forgot Password Functionality to New Relic - 210 upvotes, $2048

  6. Abusing "Report as abuse" functionality to delete any user's post. to Vanilla - 159 upvotes, $300

  7. OLO Total price manipulation using negative quantities to Upserve - 144 upvotes, $3500

  8. Unserialize leading to arbitrary PHP function invoke to Rockstar Games - 113 upvotes, $5000

  9. HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function to Cloudflare Public Bug Bounty - 105 upvotes, $6000

  10. Null pointer dereference in SMTP server function smtp_string_parse to Open-Xchange - 105 upvotes, $1500

  11. XXE in Site Audit function exposing file and directory contents to Semrush - 99 upvotes, $2000

  12. Claiming the listing of a non-delivery restaurant through OTP manipulation to Zomato - 85 upvotes, $3250

  13. Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) to Shopify - 73 upvotes, $500

  14. Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE to Lob - 68 upvotes, $1500

  15. Parameter Manipulation allowed for viewing of other user’s teavana.com orders to Starbucks - 66 upvotes, $6000

  16. Authorization Token on PlayStation Network Leaks via postMessage function to PlayStation - 64 upvotes, $1000

  17. Manipulating response leads to free access to Streamlabs Prime to Logitech - 60 upvotes, $200

  18. [api.tumblr.com] Denial of Service by cookies manipulation to Automattic - 51 upvotes, $200

  19. SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850

  20. Captcha bypass for the most important function - At en.instagram-brand.com to Automattic - 48 upvotes, $150

  21. [intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled to Automattic - 43 upvotes, $200

  22. SSRF in the application's image export functionality to Visma Public - 42 upvotes, $250

  23. Able to steal private files by manipulating response using Compose Email function of Lark to Lark Technologies - 41 upvotes, $2000

  24. Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application to PlayStation - 39 upvotes, $1000

  25. Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions. to Starbucks - 33 upvotes, $4000

  26. Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce to WordPress - 33 upvotes, $900

  27. SSRF in Functional Administrative Support Tool pdf generator (████) [HtUS] to U.S. Dept Of Defense - 32 upvotes, $4000

  28. Able to steal private files by manipulating response using Auto Reply function of Lark to Lark Technologies - 31 upvotes, $2000

  29. Business Logic Flaw in the subscription of the app to Kraden - 31 upvotes, $250

  30. Price manipulation via fraction values (Parameter Tampering) to Shipt - 31 upvotes, $100

  31. Privilege escalation allows to use iframe functionality w/o upgrade to Infogram - 31 upvotes, $0

  32. Week Passwords generated by password reset function to MTN Group - 30 upvotes, $0

  33. Self-XSS in password reset functionality to Shopify - 29 upvotes, $500

  34. Parameter tampering can result in product price manipulation to Adobe - 28 upvotes, $0

  35. Manipulation of exam results at Semrush.Academy to Semrush - 27 upvotes, $600

  36. RCE via Print function [Simplenote 1.1.3 - Desktop app] to Automattic - 26 upvotes, $250

  37. GoldSrc: Buffer Overflow in DELTA_ParseDelta function leads to RCE to Valve - 25 upvotes, $3000

  38. Add more seats by paying less via PUT /v2/seats request manipulation to Krisp - 23 upvotes, $500

  39. Business Logic Flaw - A non premium user can change/update retailers to get cashback on all the retailers associated with Curve to Curve - 19 upvotes, $1000

  40. Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report to HackerOne - 19 upvotes, $500

  41. IDOR in report download functionality on ads.tiktok.com to TikTok - 16 upvotes, $500

  42. Multiple File Manipulation bugs in WP Super Cache to Automattic - 15 upvotes, $150

  43. Response Manipulation leads to Admin Panel Login Bypass at https://██████/ to Sony - 15 upvotes, $0

  44. XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window to Reverb.com - 14 upvotes, $150

  45. Spoof Email with Hyperlink Injection via Invites functionality to Pushwoosh - 14 upvotes, $0

  46. Remote Code Execution through Extension Bypass on Log Functionality to Concrete CMS - 14 upvotes, $0

  47. Privilege escalation in the client impersonation functionality to Ubiquiti Inc. - 12 upvotes, $1500

  48. CSV-injection in export functionality to Passit - 12 upvotes, $0

  49. Unauthenticated reflected XSS in preview_as_user function to Concrete CMS - 12 upvotes, $0

  50. Stored self XSS at auto.mail.ru using add_review functionality to Mail.ru - 11 upvotes, $0

  51. [CVE-2020-27194] Linux kernel: eBPF verifier bug in or binary operation tracking function leads to LPE to Internet Bug Bounty - 10 upvotes, $750

  52. Logic issue in email change process to Legal Robot - 10 upvotes, $70

  53. [kb.informatica.com] DOM based XSS in the bindBreadCrumb function to Informatica - 10 upvotes, $0

  54. Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library to Internet Bug Bounty - 9 upvotes, $4000

  55. No Rate limit on Password Reset Function to Infogram - 9 upvotes, $0

  56. Business Logic, currency arbitrage - Possibility to pay less than the price in USD to PortSwigger Web Security - 9 upvotes, $0

  57. Improperly implemented password recovery link functionality to Phabricator - 8 upvotes, $300

  58. Allow authenticated users can edit, trash,and add new in BuddyPress Emails function to WordPress - 8 upvotes, $225

  59. Logic issue in email change process to Legal Robot - 8 upvotes, $60

  60. CSRF in the "Add restaurant picture" function to Zomato - 8 upvotes, $50

  61. Change password logic inversion to Legal Robot - 8 upvotes, $20

  62. Impersonation of Wakatime user using Invitation functionality. to WakaTime - 8 upvotes, $0

  63. Server Side Request Forgery In Video to GIF Functionality to Imgur - 7 upvotes, $1600

  64. memory corruption in wordwrap function to Internet Bug Bounty - 7 upvotes, $500

  65. Logic flaw enables restricted account to access account license key to New Relic - 7 upvotes, $500

  66. unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php to Ian Dunn - 7 upvotes, $25

  67. Reputation Manipulation (Theoretical) to HackerOne - 7 upvotes, $0

  68. Business logic Failure - Browser cache management and logout vulnerability in Certly to Certly - 7 upvotes, $0

  69. Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. to Yelp - 7 upvotes, $0

  70. Missing Password Confirmation at a Critical Function (Payout Method) to HackerOne - 7 upvotes, $0

  71. Remote Code Execution in the Import Channel function to ExpressionEngine - 7 upvotes, $0

  72. Deleted Post and Administrative Function Access in eCommerce Forum to Shopify - 6 upvotes, $500

  73. CSV export/import functionality allows administrators to modify member and message content of a workspace to Slack - 6 upvotes, $250

  74. Application XSS filter function Bypass may allow Multiple stored XSS to Vimeo - 6 upvotes, $100

  75. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $60

  76. Incorrect Functionality of Password reset links to Infogram - 6 upvotes, $0

  77. Business Logic Flaw allowing Privilege Escalation to Inflection - 6 upvotes, $0

  78. Parameter tampering : Price Manipulation of Products to WordPress - 6 upvotes, $0

  79. Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input to Node.js third-party modules - 6 upvotes, $0

  80. Owner can change themself for another Role Mode but application doesnot have this function. to Doppler - 6 upvotes, $0

  81. ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type to GitHub Security Lab - 5 upvotes, $1800

  82. Logic Issue with Reputation: Boost Reputation Points to HackerOne - 5 upvotes, $500

  83. The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack to LocalTapiola - 5 upvotes, $300

  84. Deleted name still present via mouseover functionality for user accounts to HackerOne - 5 upvotes, $0

  85. Issue with password reset functionality [Minor] to Paragon Initiative Enterprises - 5 upvotes, $0

  86. Weak e-mail change functionality could lead to account takeover to Weblate - 5 upvotes, $0

  87. Amount Manipulation Buy Unlimited Credits in just $1.00 to Inflection - 5 upvotes, $0

  88. Locked_Transfer functional burning to Monero - 5 upvotes, $0

  89. Rate limit function bypass can leads to occur huge critical problem into website. to Courier - 5 upvotes, $0

  90. HTTP Host injection in redirect_to function to Ruby on Rails - 5 upvotes, $0

  91. 2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com to Exodus - 5 upvotes, $0

  92. Manipulation of submit payment request allows me to obtain Infrastructure Pro/Other Services for free or at greatly reduced price to New Relic - 4 upvotes, $600

  93. Invalid parameter in memcpy function trough openssl_pbkdf2 to Internet Bug Bounty - 4 upvotes, $500

  94. Business logic Failure - Browser cache management and logout vulnerability. to Localize - 4 upvotes, $0

  95. Spamming any user from Reset Password Function to Weblate - 4 upvotes, $0

  96. New team invitation functionality allows extend team without upgrade to Infogram - 4 upvotes, $0

PreviousWeb-AppSecNext2FA

Last updated 2 months ago

Was this helpful?

🕸️