Features Abuse
Methodology to test features and pages that are very common
Top Business Logic reports from HackerOne:
Account takeover through the combination of cookie manipulation and XSS to Grammarly - 253 upvotes, $2000
Ethereum account balance manipulation to Coinbase - 251 upvotes, $10000
SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 248 upvotes, $5000
Account Takeover via Email ID Change and Forgot Password Functionality to New Relic - 210 upvotes, $2048
Blind SQL injection and making any profile comments from any users to disappear using "like" function (2 in 1 issues) to Pornhub - 208 upvotes, $2500
Abusing "Report as abuse" functionality to delete any user's post. to Vanilla - 159 upvotes, $300
OLO Total price manipulation using negative quantities to Upserve - 144 upvotes, $3500
Unserialize leading to arbitrary PHP function invoke to Rockstar Games - 113 upvotes, $5000
HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function to Cloudflare Public Bug Bounty - 105 upvotes, $6000
Null pointer dereference in SMTP server function smtp_string_parse to Open-Xchange - 105 upvotes, $1500
XXE in Site Audit function exposing file and directory contents to Semrush - 99 upvotes, $2000
Claiming the listing of a non-delivery restaurant through OTP manipulation to Zomato - 85 upvotes, $3250
Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) to Shopify - 73 upvotes, $500
Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE to Lob - 68 upvotes, $1500
Parameter Manipulation allowed for viewing of other userβs teavana.com orders to Starbucks - 66 upvotes, $6000
Authorization Token on PlayStation Network Leaks via postMessage function to PlayStation - 64 upvotes, $1000
Manipulating response leads to free access to Streamlabs Prime to Logitech - 60 upvotes, $200
[api.tumblr.com] Denial of Service by cookies manipulation to Automattic - 51 upvotes, $200
SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850
Captcha bypass for the most important function - At en.instagram-brand.com to Automattic - 48 upvotes, $150
Stored XSS in photo comment functionality to Pornhub - 44 upvotes, $1500
[intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled to Automattic - 43 upvotes, $200
SSRF in the application's image export functionality to Visma Public - 42 upvotes, $250
Able to steal private files by manipulating response using Compose Email function of Lark to Lark Technologies - 41 upvotes, $2000
Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application to PlayStation - 39 upvotes, $1000
[stored xss, pornhub.com] stream post function to Pornhub - 35 upvotes, $1500
Parameter Manipulation allowed for editing the shipping address for other userβs teavana.com subscriptions. to Starbucks - 33 upvotes, $4000
Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce to WordPress - 33 upvotes, $900
SSRF in Functional Administrative Support Tool pdf generator (ββββ) [HtUS] to U.S. Dept Of Defense - 32 upvotes, $4000
Able to steal private files by manipulating response using Auto Reply function of Lark to Lark Technologies - 31 upvotes, $2000
Business Logic Flaw in the subscription of the app to Kraden - 31 upvotes, $250
Price manipulation via fraction values (Parameter Tampering) to Shipt - 31 upvotes, $100
Privilege escalation allows to use iframe functionality w/o upgrade to Infogram - 31 upvotes, $0
Week Passwords generated by password reset function to MTN Group - 30 upvotes, $0
Self-XSS in password reset functionality to Shopify - 29 upvotes, $500
Parameter tampering can result in product price manipulation to Adobe - 28 upvotes, $0
Manipulation of exam results at Semrush.Academy to Semrush - 27 upvotes, $600
RCE via Print function [Simplenote 1.1.3 - Desktop app] to Automattic - 26 upvotes, $250
GoldSrc: Buffer Overflow in DELTA_ParseDelta function leads to RCE to Valve - 25 upvotes, $3000
Add more seats by paying less via PUT /v2/seats request manipulation to Krisp - 23 upvotes, $500
Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report to HackerOne - 19 upvotes, $500
IDOR in report download functionality on ads.tiktok.com to TikTok - 16 upvotes, $500
Multiple File Manipulation bugs in WP Super Cache to Automattic - 15 upvotes, $150
Response Manipulation leads to Admin Panel Login Bypass at https://ββββββ/ to Sony - 15 upvotes, $0
Spoof Email with Hyperlink Injection via Invites functionality to Pushwoosh - 14 upvotes, $0
Remote Code Execution through Extension Bypass on Log Functionality to Concrete CMS - 14 upvotes, $0
Privilege escalation in the client impersonation functionality to Ubiquiti Inc. - 12 upvotes, $1500
CSV-injection in export functionality to Passit - 12 upvotes, $0
Unauthenticated reflected XSS in preview_as_user function to Concrete CMS - 12 upvotes, $0
Stored self XSS at auto.mail.ru using add_review functionality to Mail.ru - 11 upvotes, $0
[CVE-2020-27194] Linux kernel: eBPF verifier bug in
orbinary operation tracking function leads to LPE to Internet Bug Bounty - 10 upvotes, $750Logic issue in email change process to Legal Robot - 10 upvotes, $70
[kb.informatica.com] DOM based XSS in the bindBreadCrumb function to Informatica - 10 upvotes, $0
Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library to Internet Bug Bounty - 9 upvotes, $4000
Reflected XSS by way of jQuery function to Pornhub - 9 upvotes, $50
No Rate limit on Password Reset Function to Infogram - 9 upvotes, $0
Business Logic, currency arbitrage - Possibility to pay less than the price in USD to PortSwigger Web Security - 9 upvotes, $0
Improperly implemented password recovery link functionality to Phabricator - 8 upvotes, $300
Allow authenticated users can edit, trash,and add new in BuddyPress Emails function to WordPress - 8 upvotes, $225
Logic issue in email change process to Legal Robot - 8 upvotes, $60
CSRF in the "Add restaurant picture" function to Zomato - 8 upvotes, $50
Change password logic inversion to Legal Robot - 8 upvotes, $20
Impersonation of Wakatime user using Invitation functionality. to WakaTime - 8 upvotes, $0
Server Side Request Forgery In Video to GIF Functionality to Imgur - 7 upvotes, $1600
memory corruption in wordwrap function to Internet Bug Bounty - 7 upvotes, $500
Logic flaw enables restricted account to access account license key to New Relic - 7 upvotes, $500
unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php to Ian Dunn - 7 upvotes, $25
Reputation Manipulation (Theoretical) to HackerOne - 7 upvotes, $0
Business logic Failure - Browser cache management and logout vulnerability in Certly to Certly - 7 upvotes, $0
Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. to Yelp - 7 upvotes, $0
Missing Password Confirmation at a Critical Function (Payout Method) to HackerOne - 7 upvotes, $0
Remote Code Execution in the Import Channel function to ExpressionEngine - 7 upvotes, $0
Deleted Post and Administrative Function Access in eCommerce Forum to Shopify - 6 upvotes, $500
CSV export/import functionality allows administrators to modify member and message content of a workspace to Slack - 6 upvotes, $250
Application XSS filter function Bypass may allow Multiple stored XSS to Vimeo - 6 upvotes, $100
Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $60
Incorrect Functionality of Password reset links to Infogram - 6 upvotes, $0
Business Logic Flaw allowing Privilege Escalation to Inflection - 6 upvotes, $0
Parameter tampering : Price Manipulation of Products to WordPress - 6 upvotes, $0
Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input to Node.js third-party modules - 6 upvotes, $0
Owner can change themself for another Role Mode but application doesnot have this function. to Doppler - 6 upvotes, $0
ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type to GitHub Security Lab - 5 upvotes, $1800
Logic Issue with Reputation: Boost Reputation Points to HackerOne - 5 upvotes, $500
The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack to LocalTapiola - 5 upvotes, $300
Deleted name still present via mouseover functionality for user accounts to HackerOne - 5 upvotes, $0
Issue with password reset functionality [Minor] to Paragon Initiative Enterprises - 5 upvotes, $0
Weak e-mail change functionality could lead to account takeover to Weblate - 5 upvotes, $0
Amount Manipulation Buy Unlimited Credits in just $1.00 to Inflection - 5 upvotes, $0
Locked_Transfer functional burning to Monero - 5 upvotes, $0
Rate limit function bypass can leads to occur huge critical problem into website. to Courier - 5 upvotes, $0
HTTP Host injection in redirect_to function to Ruby on Rails - 5 upvotes, $0
2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com to Exodus - 5 upvotes, $0
Invalid parameter in memcpy function trough openssl_pbkdf2 to Internet Bug Bounty - 4 upvotes, $500
Business logic Failure - Browser cache management and logout vulnerability. to Localize - 4 upvotes, $0
Spamming any user from Reset Password Function to Weblate - 4 upvotes, $0
New team invitation functionality allows extend team without upgrade to Infogram - 4 upvotes, $0
Last updated