Web Vulnerabilities WriteUps

Vulnerabilities Name
1️ - Cross Site Scripting (XSS)
2️ - Content Security Policy (CSP)
3️ - Html Injection
4️ - Clickjacking (UI redressing)
5️ - Cross Site Request Forgery (CSRF)
6️ - Cross Origin Resource Sharing (CORS)
7️ - Same Origin Policy (SOP)
8️ - Open Redirect
9️ - Information Disclosure
10 - Denial Of Service (DOS)
1️1️ - Simple Storage Service (S3)
1️2️ - SQLI
1️3️ - EXternal Xml Entity (XXE)
1️4️ - Insecure Direct Object References (IDOR)
1️5️ - HTTP Parameter Pollution (HPP)
1️6️ - Host Header Injection (HHI)
1️7️ - Server Side Request Forgery (SSRF)
1️8️ - OS Command Injection
1️9️ - LFI/LFD - Path Traversal - RFI
2️0️ - File Upload

Cross-Site Scripting (XSS)

1. From P5 to P2 to 100 BXSS
2. Google Acquisition XSS (Apigee)
3. DOM-Based XSS at accounts.google.com by Google Voice Extension
4. XSS on Microsoft.com via Angular Js template injection
5. Researching Polymorphic Images for XSS on Google Scholar
6. Netflix Party Simple XSS
7. Stored XSS in google nest
8. Self XSS to persistent XSS on login portal
9. Universal XSS affecting Firefox
10. XSS WAF Character limitation bypass like a boss
11. Self XSS to Account Takeover
12. Reflected XSS on Microsoft subdomains
13. The tricky XSS
14. Reflected XSS in AT&T
15. XSS on Google using Acunetix
16. Exploiting websocket application wide XSS
17. Reflected XSS with HTTP Smuggling
18. XSS on Facebook instagram CDN server bypassing signature protection
19. XSS on Facebook’s Acquisition Oculus
20. XSS on sony Subdomain
21. Exploiting Self XSS
22. Effortlessly Finding Cross Site Scripting inclusion XSSI
23. Bugbounty a DOM XSS
24. Blind XSS : a mind Game
25. FireFox IOS QR code reader XSS(CVE-2019-17003)
26. HTML injection to XSS
27. CVE-2020-13487 Authenticated Stored Cross-site Scripting in bbPress
28. XSS at error page of repository code
29. XSS like a Pro
30. How I turned self XSS to stored XSS via CSRF
31. XSS Stored on Outlook web
32. XSS Bug 20 Chars Blind XSS Payload
33. XSS in AMP4EMAIL(DOM clobbering)
34. DOM Based XSS bug bounty writeup
35. XSS will never die
36. 5000 USD XSS issue at avast desktop antivirus
37. XSS to account takeover
38. How Paypal helped me to generate XSS
39. Bypass Uppercase filters like a PRO(XSS advanced methods)
40. Stealing login credentials with reflected XSS
41. bughunting xss on cookie popup warning
42. XSS is love
43. Oneplus XSS vulnerability in customer support portal
44. Exploiting cookie based XSS by finding RCE
45. Stored XSS on zendesk via macros
46. XSS in ZOHO main
47. DOM based XSS in private program
48. Bugbounty writeup : Take Attention and get stored XSS
49. How I xssed admin account
50. Clickjacking XSS on google
51. Stored XSS on laporbugid
52. Leveraging angularjs based XSS to privilege escalation
53. How I found XSS by searching in shodan
54. Chaining caache poisining to stored XSS
55. XSS to RCE
56. XSS on twitter worth 1120
57. Reflected XSS in ebay.com
58. Cookie based XSS exolpoitation 2300 bug bounty
59. What do netcat -SMTP-self XSS have in common
60. XSS on google custom search engine
61. Story of a Full Account Takeover vulnerability N/A to Accepted
62. Yeah I got p2 in 1 minute stored XSS via markdown editor
63. Stored XSS on indeed
64. Self XSS to evil XSS
65. How a classical XSS can lead to persistent ATO vulnerability
66. Reflected XSS in tokopedia train ticket
67. Bypassing XSS filter and stealing user credit card data
68. Googleplex.com blind XSS
69. Reflected XSS on error page
70. How I was able to get private ticket response panel and fortigate web panel via blind XSS
71. Unicode vs WAF
72. Story of URI based XSS with some simple google dorking
73. Stored XSS on edmodo
74. XSSed my way to 1000
75. Try harder for XSS
76. From parameter pollution to XSS
77. MIME sniffing XSS
78. Stored XSS on techprofile Microsoft
79. Tale of a wormable Twitter XSS
80. XSS attacks google bot index manipulation
81. From Reflected XSS to Account takeover
82. Stealing local storage data through XSS
83. CSRF attack can lead to stored XSS
84. XSS Reflected (filter bypass)
85. XSS protection bypass on hackerone private program
86. Just 5 minutes to get my 2nd Stored XSS on edmodo.com
87. Multiple XSS in skype.com
88. Obtaining XSS using moodle featured and minor bugs
89. XSS on 403 forbidden bypass akamai WAF
90. How I was turn self XSS into reflected XSS
91. A Tale of 3 XSS
92. Stored XSS on Google.com
93. Stored XSS in the Guides gameplaersion (www.dota2.com)
94. Admin google.com reflected XSS
95. Paypal Stored security bypass
96. Paypal DOM XSS main domain
97. Bugbounty The 5k$ Google XSS
98. Facebook stored XSS
99. Ebay mobile reflected XSS
100. Magix bugbounty XSS writeup

Content Security Policy (CSP)

1. csp bypass + xss
2. www.hackerone.com website CSP “script-src” includes “unsafe-inline”
3. https://wakatime.com/ website CSP “script-src” includes “unsafe-inline”
4. Unsafe Inline and Eval CSP Usage

---

Html Injection

1. HTML-injection-in-clause-email
2. HTML-injection-to-xss-bypass-in
3. HTML-injection-in-email
4. Chain-the-vulnerabilities-and-take-your-report-impact-on-the-moon-csrf-to-html-injection-which
5. Stored-iframe-injection-csrf-account-takeover
6. Hunting-good-bugs-with-only-html
7. Unauthenticated-account-takeover-through-http-leak
8. HTML-injection-unique-exploitation
9. How-i-caught-multiple-vulnerabilities-in-udemy-com
10. Got-easiest-bounty-with-html-injection-via-email-confirmation

---

Clickjacking (UI redressing)

1. Clickjacking-on-google-myaccount-worth-7500
2. How-i-earned-750-bounty-reward-from-at-t-bug-bounty-adesh-kolte
3. Binary-com-clickjacking-vulnerability-exploiting-html5-security-features-SandBox
4. 1800-worth-clickjacking-1f92e79d0414
5. Account-taker-with-clickjacking
6. Clickjacking-in-google-docs-and-voice-typing-feature-c481d00b020a
7. Google-clickjacking
8. https://medium.com/bugbountywriteup/chaining-self-xss-with-ui-redressing-is-leading-to-session-hijacking-pwn-users-like-a-boss-efb46249cd14
9. Facebook-clickjacking-how-we-put-a-new-dress-on-facebook-ui
10. Clickjacking-xss-on-google-org
11. Redressing Instagram leaking application tokens via Instagram clickjacking vulnerability
12. Microsoft Yammer clickjacking exploiting HTML5 security features
13. Highly wormable clickjacking in player card
14. Twitter Periscope Clickjacking Vulnerability
15. Clickjacking on donation page
16. Stealing User emails by clickjacking cards.twitter.com/xxx/xxx
17. Clickjacking at join.nordvpn.com
18. Clickjacking is the admin page
19. Clickjacking on cas.acronis.com login page
20. Clickjacking at ylands.com

---

Cross-Site Request Forgery (CSRF)

1. Paypal bug bounty: Updating the Paypal. me profile picture without consent (CSRF attack) - Florian Courtial
2. Hacking PayPal Accounts with one click (Patched) - Yasser Ali
3. Add tweet to collection CSRF - Vijay Kumar
4. Facebookmarketingdevelopers.com: Proxies, CSRF Quandry, and API Fun - phwd
5. How I Hack your Beats account? Apple Bug Bounty - @aaditya_purani
6. FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones
7. Hacking Facebook accounts using CSRF in Oculus-Facebook integration
8. Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019
9. Cross-Site Request Forgery Attack - PwnFunction
10. Wiping Out CSRF - Joe Rozner - Oct 17, 2017
11. Bypass referer check logic for CSRF
12. Bypass-referer-check-logic-for-csrf.html
13. Messenger-site-wide-csrf/
14. Bypass-csrf-with-clickjacking-worth-1250-6c70cc263f40
15. Bypass CSRF with clickjacking on Google org
16. CSRF combined with IDOR within Document Converter exposes files
17. Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login
18. How-i-could-have-taken-over-any-pinterest-account
19. Leaking-WordPress-CSRF-Tokens
20. Paypal-bbp-i-couldve-deleted-all-smc
21. Instagram-delete-media-csrf.html
22. Wordpress-csrf-to-rce/
23. RCE-on-a-facebook-server
24. Collecting-shells-by-the-sea-of-nas-vulnerabilities
25. CORS-to-CSRF-attack
26. 1800-in-less-than-hour
27. Googlebugs
28. Site-wide-csrf-on-popular-program
29. Using-CSRF-i-got-weird-account-takeover
30. Admin-hijacked-by-sea-surf-pirates
31. How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup)
32. How-i-was-able-to-delete-13k-microsoft-translator-projects
33. Fastest-fix-on-open-bug-bounty-platform
34. How-a-simple-csrf-attack-turned-into-a-p1-level-bug
35. CSRF-critical-exploitable-in-infected-site
36. Oauth-misconfiguration-lead-to-complete-account-takeover
37. A-very-useful-technique-to-bypass-the-csrf-protection-for-fun-and-profit
38. How-i-turned-self-xss-to-stored-via-csrf
39. CSRF-vulnerability-leads-to-user-profile-change-in-microsoft-express-logic
40. How-i-got-500-from-microsoft-for-csrf-vulnerability
41. How-i-made-1000-at-t-bug-bounty-h1
42. Lintern-ute-account-takeover-via-csrf-adesh-kolte
43. How-i-found-password-bypass-vulnerability-on-private-document-at-scribd-com
44. Brute-forcing-user-ids-via-csrf-to-delete-all-users-with-csrf-attack
45. Self-xss-to-account-takeover
46. Obtaining-xss-using-moodle-features-and-minor-bugs
47. How-i-hacked-companies-related-to-the-crypto-currency-and-earned-60-000
48. Stored-iframe-injection-csrf-account-takeover
49. Account-taken-over-in-style
50. Fastest-fix-on-open-bug-bounty-platform
51. CSRF-email-confirmation-vulnerability-for-gmail-g-suite-in-facebook
52. CSRF-bypass-using-cross-frame-scripting
53. CSRF CSRF CSRF
54. My-first-csrf-to-account-takeover-worth-750
55. Always-escalate-from-self-xss-to-persistent-xss-on-login-portal
56. Exploiting-websocket-application-wide-xss-csrf
57. JSON-CSRF-attack-on-a-social-networking-site-hackerone-platform
58. How-i-csrfd-my-first-bounty
59. Self-xss-csrf-to-stored-xss
60. ATO-worth-900
61. Bypass-csrf-with-clickjacking-worth-1250
62. CSRF-token-bypasss-a-tale-of-my-2k-bug
63. How-i-exploit-the-json-csrf-with-method-override-technique
64. ATO-by-chaining-two-vulnerabilities
65. Account-takeover-using-csrf-json-based
66. How-i-hacked-one-cryptocurrency-service
67. 2fa-bypass-via-csrf-attack
68. The-accounttakeover-killing-chain
69. 4x-csrfs-chained-for-company-account-takeover
70. A-simple-bypass-of-registration-activation-that-lead-to-many-bug-a-story-about-how-my-friend
71. Critical-bypass-csrf-protection-on-ibm
72. CSRF-account-takeover-explained-automated-manual-bug-bounty
73. CSRF-account-takeover-in-a-company-worth-1b
74. CSRF-attack-can-lead-to-stored-xss
75. How-i-hijacked-your-account-when-you-opened-my-cat-picture
76. Stealing-downloads-from-slack-users
77. Chain_XSS
78. How-i-was-able-to-bypass-the-current-password/
79. RXSS-CSRF-bypass-to-account-takeover
80. XSS-to-ATO
81. Site-wide-CSRF-GraphQL
82. Google-bug-bounty-csrf-in-learndigital-withgoogle-com
83. An-inconsistent-CSRF
84. Yet-other-examples-of-abusing-CSRF-in-logout/
85. Facebook-privacy-bug/
86. An interesting Google vulnerability that got me 3133.7 reward.
87. Facebook CSRF protection bypass which leads to Account Takeover.
88. Facebook CSRF bug which lead to Instagram Partial account takeover.
89. CSRF logs the victim into attacker’s account
90. CSRF log victim into the attacker account
91. Login csrf in analytics.mopub.com
92. CRITICAL Full account takeover using CSRF
93. CSRF at Apply to this program that lead to submit your request automatic with out any validation
94. CSRF - Close Account
95. CSRF: add item to victim’s cart automatically (starbucks.com - updatecart)
96. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers
97. CSRF - Modify Project Settings
98. Cross-Site Request Forgery (CSRF)
99. CSRF on https://market.my.games
100. CSRF - Modify Company Info

---

Cross Origin Resource Sharing (CORS)

1. CORS bug on google’s 404 page (rewarded)
2. CORS misconfiguration leading to private information disclosure
3. CORS misconfiguration account takeover out of scope to grab items in scope
4. Chrome CORS
5. Bypassing CORS
6. An unexploited CORS misconfiguration reflects further issues
7. Think outside the scope of advanced cors exploitation techniques
8. A simple CORS misconfiguration leaked private post of Twitter Facebook Instagram
9. Exploiting CORS misconfiguration
10. Exploiting-misconfigured-cors-via-wildcard-subdomains
11. Exploiting insecure CORS API api.artsy.net
12. Pre domain wildcard CORS exploitation
13. Exploiting misconfigured CORS on popular BTC site
14. Cross-origin resource sharing misconfig steal user information bughunterboy bughunterboy
15. [██████] Cross-origin resource sharing misconfiguration (CORS) Vadim jarvis7
16. CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover
17. CORS Misconfiguration [www.zomato.com], could lead to disclosure of sensitive information
18. CORS misconfiguration
19. CORS Misconfiguration Leads to Exposing User Data
20. CORS Bypassing Misconfiguration Leads to Sensitive Exposure
21. CORS misconfiguration allows to steal client’s “password”, Authorization token and the customer details e.g. names, SSN, bank account etc.

Same Origin Policy (SOP)

1. SOP-bypass-via-browser-cache
2. Google-sites-and-exploiting-same-origin-policy
3. SOP-bypass
4. Stealing-local-files-with-simple-html-file
5. Hacking-the-same-origin-policy
6. Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml
7. CSRF possible when SOP Bypass/UXSS is available
8. SOP bypass using browser cache

---

Open Redirect

1. [Report-246897] Open Redirect on Twitter: Eldeeb
2. [Report-103772] Open Redirect on Shopify: .np
3. [Report-309058] Open Redirect on Wordpress: @
4. [Report-260744] Open Redirect and XSS on Twitter: https://dev.twitter.com/https:/%5cblackfan.ru/
5. [Report-320376] Open Redirect on HackerOne: after index.php/XYZ
6. [Report-111968] Interstitial redirect bypass / Open Redirect on HackerOne Zendesk Session
7. [Report-244721] Open Redirect on Mail.Ru
8. [Report-236599] Open Redirect on ExpressionEngine
9. [Report-299403] Open Redirect on HackerOne: RTLO
10. [Report-239503] Open Redirect & Information Disclosure on HackerOne
11. [Report-210875] Open Redirect via Host Header
12. [Report-119236] Open Redirect on Uber: IP address to a single number
13. [Report-126203] Open Redirect on Uber
14. [Report-144525] Open Redirect bypass on New Relic
15. [Report-104087] Open Redirect bypass using svg on Slack
16. [Report-179568] Open Redirect via window.opener on Open-Xchange
17. Open Redirect to RCE on Google Hangouts Electron app & RCE Tweet

---

Information Disclosure

1. I-found-gcp-service-account-tokennow GCP
2. What-is-your-gcp-infra-worthabout-700 GCP
3. Getting-access-zendesk-gcp GCP
4. Aaronesau blog Debug
5. From-github-recon-to-account-takeover ATO
6. Graphql-bug-to-steal-anyones-address GraphQl
7. How-recon-helped-samsung-protect-their-production-repositories-of-samsungtv-ecommerce-estores IMPORTANT
8. Accessing 2 million Verizon Pay Monthly contracts
9. Business-logic-plex-tv
10. Leak-can-i-take-user-information-please
11. How-i-could-have-hacked-all-uber-accounts
12. How-i-found-credential-enriched-redis-dump
13. How-to-look-for-js-files-vulnerability-for-fun-and-profit
14. Unauthorized-access-to-all-user-information-leaks
15. How-i-get-my-first-p1-sensitive-information-disclosure-using-wpscan
16. Recon-to-sensitive-information-disclosure-in-minutes

---

Denial Of Service (DOS)

1. Long String DOS
2. Banner grabbing to DOS and memory corruption
3. profile-picture name parameter with large value lead to DoS for other users and programs on the platform
4. XMLRPC.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS)
5. XMLRPC.php FILE IS enable it will be used for brute force attack and denial of service
6. DOS on the Issue page by exploiting Mermaid.
7. Character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error
8. Permanent DoS with one click.
9. A very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service
10. ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages
11. Denial of Service twitter.com & mobile.twitter.com
12. DOS attack via comment on Issue
13. DOS of https://nordvpn.com/ via CVE-2018-6389 exploitation
14. Denial of Service [Chrome]
15. DOS: type confusion in mrb_no_method_error
16. Api.tumblr.com Denial of Service by cookies manipulation
17. Application DOS via specially crafted payload on 3d.cs.money
18. Pixel Flood Attack leads to Application level DoS
19. lack of input validation that can lead Denial of Service (DOS)

---

Simple Storage Service (S3)

1. Open AWS S3 bucket leaks all Images uploaded to Zomato chat
2. AWS S3 bucket writeable for authenticated aws users
3. Open S3 Bucket Accessible by any Aws User
4. Open S3 Bucket WriteAble To Any Aws User
5. API - Amazon S3 bucket misconfiguration
6. No ACL on S3 Bucket in [https://www.██████████/]
7. Amazon S3 bucket misconfiguration (share)
8. Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv)
9. S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com)
10. unclaimed s3 bucket takeover in the 3 js file located on the github page of brave software
11. S3 bucket data at http://rockset-support.s3-us-west-2.amazonaws.com/ reveals user addresses based on latitudes and longitudes.
12. Writable RubyCi Amazon s3 bucket
13. public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053]
14. niche s3 buckets are readable/writeable/deleteable by authorized AWS users
15. How-i-dumped-millions-of-crypto-currencies-accounts
16. Subdomain Takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
17. Subdomain takeover via unsecured s3 bucket

---

SQLI

1. SQL injection in Harvard subdomain
2. SQLi in HackerOne (crit)
3. SSRF to sqli
4. Blind sqli Hootsuite
5. Tesla motors blind sql injection ’ + sleep(10) + ‘
6. Popping_a_shell_on_the_oculus_developer_portal
7. Pwning-child-company-to-get-access-to-parentcompanys-slack-team
8. SQL-injection-in-insert-update-query-without-comma
9. SQLI-extracting-data-without-knowing-columns-names
10. SQLI-bootcampnutanix-com-bug-bounty-poc
11. Zol-zimbabwe-authbypass-sqli-xss
12. SQLI-login-bypass-autotraders
13. SQL-injection-via-stopping-the-redirection-to-a-login-page
14. Yahoo-root-access-sql-injection-tw-yahoo-com
15. Step-by-step-exploiting-sql-injection
16. Fileupload-blind-sqli
17. First-bug-bounty-submission
18. Exploiting-a-tricky-blind-sql-injection-inside-limit-clause
19. H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress
20. Hacking-the-nhs-for-fun-and-no-profit
21. Hacking-makes-me-forget-my-pain
22. SQL-injection-vulnerability-in-university-of-cambridge
23. SQL-injection-bug-bounty
24. Shodan-is-your-friend-if-you-lose-him-you-will-lose-many
25. SQL-injection-through-user-agent
26. Union-based-sql-injection-write-up-a-private-company-site
27. SQL-injection-for-50-bounty-but-still-worth-reading
28. Source-code-analysis-in-ysurvey-luminate-bug
29. SQL-injection-saadahmedx
30. A-five-minute-sql-i
31. Bug-bounty-writeups-exploiting-sql-injection-vulnerability
32. Twitter
33. Youtube
34. bypass sql injection #1109311
35. SQL injection in https://www.acronis.cz/ via the log parameter
36. blind sql injection
37. Time based sql injection
38. [critical] sql injection by GET method
39. Blind SQL Injection
40. SQL injection [futexpert.mtngbissau.com]
41. Sql injection on docs.atavist.com
42. [windows10.hi-tech.mail.ru] Blind SQL Injection
43. SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent
44. Blind SQL injection in Hall of Fap
45. SQL Injection in ████
46. SQL Injection in ████

---

External Xml Entity (XXE)

1. External-xml-entity-via-file-upload-svg
2. 0day-writeup-xxe-in-ubercom
3. An-interesting-xxe-in-sap
4. Bug-bounty-fastmail
5. Exploiting-xxe-with-local-dtd-files
6. XSS-to-XXE-in-Prince
7. Multiple-vulnerabilities-in-oracle-ebs
8. From-blind-xxe-to-root-level-file-read-access
9. SOAP-based-unauthenticated-out-of-band-xml-external-entity-oob-xxe-in-a-help-desk-software
10. How-i-loose-5005-in-a-day-dos-billion-laugh-attack-xxe
11. XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx
12. XXE on sms-be-vip.twitter.com in SXMP Processor

BLIND - XXE OOB ❌

1. A-tale-of-two-formats-exploiting-insecure-xml-and-zip-file-parsers-to-create
2. How-I-Found-CVE-2018-8819-Out-of-Band-(OOB)-XXE
3. XXE-oob-exploitation-at-java-17
4. Blind-xml-external-entities-out-of-band-channel-vulnerability-paypal-case-study
5. OOB-xxe-in-prizmdoc-cve-2018-15805
6. Exploiting-out-of-band-xxe-using
7. Blind XXE via Powerpoint files
8. Phone Call to XXE via Interactive Voice Response
9. XXE in Site Audit function exposing file and directory contents

---

Insecure Direct Object References (IDOR)

1. IDOR in HackerOne
2. IDOR with Geolocation data not stripped from images
3. IDOR in HackerOne
4. How-i-could-have-hacked-your-uber-account
5. IDOR-via-websockets
6. Fbctf-IDOR/
7. Disclosing privately shared gaming clips of any user
8. Adding anyone including non-friend and blocked people as co-host in personal event!
9. Page analyst could view job application details
10. Deleting Anyone’s Video Poll
11. IDOR bug to See hidden slowvote of any user even when you dont have access right
12. IDOR allow to extract all registered email
13. Another image removal vulnerability on Facebook
14. Gsuite Hangouts Chat 5k IDOR
15. How I pwned a company using IDOR and Blind XSS
16. Disclose Private Dashboard Chart’s name and data in Facebook Analytics
17. DoD_IDOR
18. IDOR when editing users leads to Account Takeover without User Interaction at CrowdSignal
19. IDOR leads to Edit Anyone’s Blogs / Websites
20. IDOR and statistics leakage in Orders
21. IDOR in https://3d.cs.money/
22. IDOR leading to downloading of any attachment
23. IDOR when moving contents at CrowdSignal
24. IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email
25. IDOR to delete images from other stores
26. IDOR in marketing calendar tool
27. IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field
28. IDOR with Geolocation data not stripped from images
29. IDOR in semrush academy
30. IDOR on the DELETE /comments/
31. IDOR [NR Insights] - Modify the filter settings for any NR Insights dashboard through internal_api endpoint
32. IDOR in editing courses
33. IDOR when editing email leads to Account Takeover on Atavist
34. IDOR to view User Order Information
35. IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter
36. IDOR - Deleting other user’s signature via /appsuite/api/snippet?action=update (although an error is thrown)
37. IDOR to view User Order Information

---

HTTP Parameter Pollution (HPP)

1. Recaptcha-bypass-via-http-parameter-pollution
2. Twitter-hpp-vulnerability
3. Improper-input-validation-add-custom-text-and-urls-in-sms-send-by-snapchat-bug-bounty-poc
4. Tale-of-account-takeovers-part
5. Bugbounty-compromising-user-account-how-i-was-able-to-compromise-user-account-via-http
6. From-parameter-pollution-to-xss
7. How-i-earned-60k-from-private-program

---

Host Header Injection (HHI)

1. Love-story-of-account-takeover-chaining
2. Host-header-injection
3. How-i-was-able-to-take-over-any-users-account-with-host-header-injection
4. Pwn-them-all-bugbounty
5. How-i-earned-800-for-host-header-injection-vulnerability
6. 10k-host-header
7. ATO-via-host-header-poisoning
8. From-host-header-injection-to-sql-injection
9. Awesome-host-header-injection-worth-2k
10. Bugbounty-rewarded-by-securing-vulnerabilities-in-bookmyshow-indias-largest-online-movie
11. Host Header Injection
12. Host header injection/redirection signup and login page
13. Host Header Injection/Redirection in:https://www.instacart.com/
14. Email link poisoning / Host header attack
15. Host Header Injection - irccloud.com
16. Host header injection/redirection via newsletter signup
17. Host Header Injection/Redirection
18. Host header Injection
19. Header Injection In app.legalrobot.com
20. Password Reset link hijacking via Host Header Poisoning
21. Host Header Injection/Redirection
22. Modify Host Header which is sent to email
23. Host Header Injection / Cache Poisoning
24. Host Header poisoning on gratipay.com
25. Host Header is not validated resulting in Open Redirect

---

Server Side Request Forgery (SSRF)

1. SSRF to SQLI
2. Escalating xss in phantomjs image rendering to ssrflocal file read
3. Escalating-blind-ssrf-get-rce-santosh-kumar-sha
4. aws-takeover-ssrf-javascript
5. Local-file-read-via-xss-in-dynamically
6. AWS-takeover-ssrf-javascript
7. Downnotifer-ssrf
8. Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul
9. Esea-server-side-request-forgery-and-querying-aws-meta-data
10. Airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat
11. Escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
12. Yahoo-small-business-luminate-and-the-not-so-secret-keys
13. SSRF-vulnerability-in
14. My-first-ssrf-using-dns-rebinfing/
15. Bugbounty-a-simple-ssrf/
16. Blind-ssrf-in-stripe-com-due-to-sentry-misconfiguration
17. Jow-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira
18. Escalating-ssrf-to-rce
19. How-outdated-jira-instances-suffers-from-multiple-security-vulnerabilities
20. How-i-found-xss-via-ssrf-vulnerability-adesh-kolte
21. Gain-adfly-smtp-access-with-ssrf-via-gopher-protocol
22. Pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce
23. Piercing-the-veal-short-stories-to-read-with-friends
24. Vimeo-upload-function-ssrf
25. 1-000-ssrf-in-slack
26. SSRF-trick-ssrf-xspa-in-microsofts-bing-webmaster-central
27. Hunting-good-bugs-with-only-html
28. Blind-ssrf-on-coda-io
29. Chain-of-hacks-leading-to-database-compromise
30. The-journey-of-web-cache-firewall-bypass-to-ssrf-to-aws-credentials-compromise
31. The-unusual-case-of-open-redirection-to-aws-security-credentials-compromise
32. Pcextreme-nl-fake-bug-bounty
33. SSRF-on-pdf-generator
34. Reading-internal-files-using-ssrf-vulnerability
35. Using-vulnerability-analytics-feature-like-a-boss
36. SSRF-via-ffmpeg-hls-processing
37. SSRF-to-read-local-files-and-abusing-the-aws-metadata
38. SSRF-in-openid-support
39. Yhe-story-of-blind-ssrf-leads-to-internal-host-discovery
40. vimeo-ssrf-with-code-execution-potential
41. Just-another-tale-of-severe-bugs-on-a-private-program
42. How-i-found-an-ssrf-in-yahoo-guesthouse-recon-wins-8722672e41d4
43. From-ssrf-to-local-file-disclosure
44. SSRF-port-issue-hidden-approch
45. Exploiting-ssrf-like-a-boss-c090dc63d326
46. Exploiting-an-ssrf-trials-and-tribulations-14c5d8dbd69a
47. The-bugs-are-out-there-hiding-in-plain-sight-12d056613ea3
48. Bug-bounty-fastmail
49. Piercing-the-veil-server-side-request-forgery-to-niprnet-access
50. SSRF_P4toP2
51. Old-but-gold-dot-dot-slash-to-get-the-flag-uber-microservice
52. Google-vrp-ssrf-in-google-cloud-platform-stackdriver
53. Into-the-borg-ssrf-inside-google-production-network
54. CVE-2018-16794-on-fs-thefacebook-com
55. Stored-XSS-and-SSRF-Google
56. Exploiting-single-request-for-multiple
57. How-i-got-access-to-local-aws-info-via-jira
58. SSRF-in.html#.XGWpfioiVM4.twitter
59. SSRF-reading-local-files-from-downnotifier-server/
60. Ok-google-give-me-all-your-internal-dns-information/
61. 01-slack-webrtc-turn-compromise/
62. Getting-read-access-on-edmodo.html
63. A-pair-of-plotly-bugs-stored-xss-and-aws-metadata-ssrf/
64. Exploiting an SSRF trials and tribulations
65. SSRF on PDF generator
66. Google VRP SSRF in Google cloud platform stackdriver
67. Vimeo upload function SSRF
68. SSRF via ffmeg processing
69. My first SSRF using DNS rebinding
70. Bugbounty simple SSRF
71. SSRF reading local files from downnotifier server
72. SSRF vulnerability
73. Gain adfly SMTP access with SSRF via gopher protocol
74. Blind SSRF in stripe.com due to senntry misconfiguration
75. SSRF port issue hidden approch
76. The jorney of web cache firewall bypass to SSRF to AWS credentials compromise
77. SSRF to local file read and abusing aws metadata
78. pdfreactor SSRF to root level local files read which lead to RCE
79. SSRF trick : SSRF XSPA in micosoft’s bing webwaster
80. Downnotifeer SSRF
81. Escalating SSRF to RCE
82. Vimeo SSRF with code execution potential
83. SSRF in slack
84. Exploiting SSRF like a boss
85. AWS takeover SSRF javascript
86. Into the borg of SSRF inside google production network
87. SSRF to local file disclosure
88. How I found an SSRF in yahoo guesthouse (recon wins)
89. Reading internal files using SSRF vulnerability
90. Airbnb chaining third party open redirect into SSRF via liveperson chat
91. SSRF in Exchange leads to ROOT access in all instances
92. SSRF using Javascript allows to exfill data from Google Metadata
93. SSRF in Google cloud platform stackdriver
94. SSRF to ROOT Access
95. SSRF reading local files from downnotifier server
96. Facebook SSRF
97. 31k$ SSRF in Google Cloud Monitoring led to metadata exposure
98. How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
99. My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft to Lyft
100. SSRF in Exchange leads to ROOT access in all instances to Shopify

---

OS Command Injection

1. Command Injection (via CVE-2019-11510 and CVE-2019-11539)
2. RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)
3. Remote Code Execution via Extract App Plugin
4. OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
5. https://hackerone.com/reports/212696

---

LFI/LFD - Path Traversal - RFI

Remote File Inclusion (RFI)

1. Remote file Inclusion - RFI in upload

Path Traversal

1. Path Traversal allowing to read any files on the server
2. Directory traversal at https://nightly.ubnt.com
3. Remote code execution via path traversal in Zip extraction in the Extract app
4. Path traversal on ████████
5. Critical Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/
6. Path traversal leading to limited CSRF on GET requests on two endpoints

Local File Inclusion (LFI)

1. [https://███] Local File Inclusion via graph.php
2. Local File Inclusion In Registration Page
3. Local File Include on marketing-dam.yahoo.com
4. Local files reading from the web using brave://
5. RFI LFI Writeup
6. How we got LFI in apache drill recom like a boss
7. Bugbounty journey from LFI to RCE
8. From LFI to RCE via PHP sessions
9. magix bugbounty magix.com XSS RCE SQLI and LFI
10. Escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read
11. Chain-the-bugs-to-pwn-an-organisation-lfi-unrestricted-file-upload-remote-code-execution
12. Chain-of-hacks-leading-to-database-compromise
13. The-journey-of-web-cache-firewall-bypass-to-ssrf-to-aws-credentials-compromise
14. LFI-to-command-execution-deutche-telekom-bug-bounty
15. Client-not-client
16. Exploiting-ssrf-like-a-boss
17. Bugbounty-journey-from-lfi-to-rce-how

---

File Upload

1. Exploiting-file-uploads-pt-2
2. External-xml-entity-via-file-upload-svg
3. Arbitary-File-Upload-Too-Stored-XSS
4. My-first-rce-stressed-employee-gets-me-2x-bounty
5. Remote-image-upload-leads-to-rce-inject-malicious-code-to-php-gd-image
6. Vimeo-upload-function-ssrf
7. Manageengine-servicedesk-plus-arbitrary-file-upload
8. From-file-upload-to-email-pass
9. Uploading-backdoor-for-fun-and-profit-rce-db-cred-p1
10. Simple-remote-code-execution-vulnerability-examples-for-beginners
11. Unrestricted-file-upload-to-rce-bug-bounty-poc
12. How-i-gain-unrestricted-file-upload-remote-code-execution-bug-bounty
13. How-i-found-rce-but-got-duplicated
14. Race-condition-that-could-result-to-rce-a-story-with-an-app-that-temporary-stored-an-uploaded
15. Asus-rce-vulnerability-on-rma-asus-europe-eu
16. Exploitation-of-the-cve-2018-15961-unrestricted-file-upload-in-adobe-coldfusion
17. Unrestricted-file-upload-on-pdf
18. Uploading files to api.techprep.fb.com
19. How I got stored XSS using a file upload
20. Chain the bugs to pwn an organization LFI unrestricted file upload to RCE
21. File Upload blind SQLI
22. Path traversal while uploading results in RCE
23. RCE by uploading a web config
24. How-i-hacked-facebook-and-received-a-3500-usd-facebook-bug-bounty
25. Chaining-tricky-oauth-exploitation-to-stored-xss-b67eaea4aabd
26. RTL override symbol not stripped from file names
27. XSS by image file name
28. Arbitrary file upload and stored XSS via ███ support request
29. Unrestricted File Upload on https://app.dropcontact.io/app/upload/
30. Unrestricted file upload leads to Stored XSS
31. Unrestricted file upload on the image of contacts
32. File Upload XSS in image uploading of App in mopub