Vulnerability-Review

vuln/tricks reports from：

wooyun 
hackerone 
bugreader 

Reflected XSS

• 🔥 01 Reflected XSS on www.hackerone.com and resources.hackerone.com
• 🔥 02 XSS in select attribute options
• 🔥 03 Prevent XSS when passing a parameter directly into link_to
• 🔥 04 Reflected XSS on https://apps.topcoder.com/wiki/page/
• 🔥 05 Reflected XSS on https://apps.topcoder.com/wiki/
• 🔥 06 Reflected XSS on https://apps.topcoder.com/wiki/pages/createpage.action

Stored XSS

• 🔥 01 Stored XSS on upload files leads to steal cookie
• 🔥 02 Potential stored Cross-Site Scripting vulnerability in Support Backend

XXE

• 🔥 01 XXE through injection of a payload in the XMP metadata of a JPEG file

CSRF

IDOR

• 🔥 01 Missing ownership check on remote wipe endpoint
• 🔥 02 Insecure redirect rule results in bypassing ban redirect on certain pages
• 🔥 03 [██████████] Unauthorized access to admin panel
• 🔥 04 IDOR on update user preferences
• 🔥 05 Idor on the DELETE /comments/
• 🔥 06 IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter

Code Injection

• 🔥 01 [git-promise] RCE via insecure command formatting

Command Injection

• 🔥 01 Command Injection (via CVE-2019-11510 and CVE-2019-11539)

SQL Injection

• 🔥 01 SQL Injection on cookie parameter
• 🔥 02 SQL Injection - https://███/█████████/MSI.portal
• 🔥 03 Followup - SQL Injection - https://██████████/██████/MSI.portal
• 🔥 04 SQL Injection in Login Page: https://█████/█████████/login.php

SSRF

• 🔥 01 wooyun-2016-0227704 当当网某站点SSRF可以遍历本地文件 √
• 🔥 02 wooyun-2014-083592 利用两个鸡肋SSRF探测360内网 √
• 🔥 03 CVE-2019-5464 Server Side Request Forgery mitigation bypass
• 🔥 04 labs.data.gov/dashboard/validate中的SSRF / XSPA

Race Condition

CRLF

• 🔥 01 CVE-2019-9947 CRLF Injection in urllib

Path Traversal

• 🔥 01 Arbitrary file read via the UploadsRewriter when moving and issue
• 🔥 02 [Total.js] Path traversal vulnerability allows to read files outside public directory
• 🔥 03 [https://███] Local File Inclusion via graph.php

Denial of Service

• 🔥 01 Denial of service to WP-JSON API by cache poisoning the CORS allow origin header
• 🔥 02 Malformed string sent through FireServer leads to server freezing/hanging
• 🔥 03 File Upload Restriction Bypass

Clickjacking

• 🔥 01 frame injection on bittorrent.com

Open Redirect

• 🔥 01 Open Redirection leads to redirect Users to malicious website
• 🔥 02 open redirect in eb9f.pivcac.prod.login.gov

Information Disclosure

• 🔥 01 Internal IP Address Disclosed
• 🔥 02 Firewall rules for ████████ can be bypassed to leak site authors

Improper Access Control

• 🔥 01 Unrestricted access to any "connected pack" on docs
• 🔥 02 Sourcemaps and Unminified Source Code Exposed on Pages

Improper Authorization

• 🔥 01 You can override the speed limit by adding the X-Forwarded-For header.

Misconfiguration

• 🔥 01 misconfigured CORS let to HPP and SOP bypass

Deserialization of Untrusted Data（反序列化）

• 🔥 01 Remote Code Execution via Insecure Deserialization in Telerik UI

HTTP Request Smuggling(HTTP请求走私)

• 🔥 01 HTTP Request Smuggling on https://labs.data.gov

Other

• 🔥 01 disclosure of email by sending a message.
• 🔥 02 Session works after logout from Shopify account and password of online store is displayed
• 🔥 03 Subdomain Takeover to Authentication bypass

持续更新...