Writeups about Security Issues found during Bug Bounty Programs
Hello, fellow nerds, it’s been a while! Today, let’s delve into a some analogy – the striking similarities between bug bounty hunting and photography. This comparison isn’t just for kicks; it’s a serious look at how these two fields, though seemingly worlds apart, share fundamental principles. Focusing the Lens: Spotting Vulnerabilities Photography begins with spotting […]
The Art of Bug Hunting: A Photographic Journey Read More »
Greetings readers, today i want to share with you one of my latest findings on Paypal.com.When creating an invoice Paypal allows the users to upload attachements for the invoices one attachement that they allow is a XML file. What the developer may missed here is that you can actually insert HTML into XML files, the namespace
[BugBounty] Papyal XML Upload Cross Site Scripting Vulnerability Read More »
Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload: &q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter,
[BugBounty] Reflected Cross Site Scripting at Paypal.com Read More »
Dear followers, i recently found a reflected Cross Site Scripting issue on a Subdomain of BillMeLater (Paypal acquisition) it was possible to break the style attribute and add malicious Javascript Code into the Application. “–></style></ script >< script > alert (“XSS “)</ script > When ending the previous style and script element it was possible
[BugBounty] Reflected Cross Site Scripting BillMeLater Read More »
Dear followers, i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible. During my testings i often create accounts with malicious Javascript contet as the Name, Organization etc etc. While testing on Paypal i did the
[BugBounty] Paypal stored XSS + Security bypass Read More »
Dear followers, i recently discovered a DOM Cross Site Scripting issue while testing on Paypal, the process here was pretty straight forward, if you inserted the payload in : #“><img src=/ onerror=alert(2)> In the URL, the DOM executed the Javascript. This vulnerability would have affected all registered Paypal users and could have been used to
[BugBounty] Paypal DOM XSS main domain Read More »
Dear followers, i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty
[BugBounty] The 5000$ Google XSS Read More »
Dear readers, during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of
[BugBounty] Yahoo phpinfo.php disclosure Read More »
Dear Readers, short story, i discovered a Path Traversal Issue on one of Prezi’s domains, Timeline : Mail recieved 05/18/2014 21:01:00 : fixed 05/20/2014 Hi Patrik, Thanks again for your submission, you were the first to report this issue and we deployed our fix, therefore you are eligible for a $1000 reward. Congrats! We would
[Bug Bounty] Prezi (map.prezi.com) Path Traversal Read More »
Dear Readers, today i want to share my story on how i want to buy my new Laptop (Macbook Pro would be cool) so the notebook costs round about 1700$ with the help of BugBounty Money i want to buy it $$$. So what i’ve done first is to look at a list of bug
A Tale of 7 Vulnerabilities Read More »
English 
German