Skip to content

Latest commit

 

History

History
107 lines (103 loc) · 13.6 KB

TOP100UPVOTED.md

File metadata and controls

107 lines (103 loc) · 13.6 KB

Back

Top 100 upvoted reports from HackerOne:

  1. Bypass for #488147 enables stored XSS on https://paypal.com/signin again to PayPal - 2405 upvotes, $20000
  2. Account takeover via leaked session cookie to HackerOne - 1360 upvotes, $20000
  3. Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - 1235 upvotes, $20000
  4. Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password to PayPal - 1232 upvotes, $15300
  5. RCE on Steam Client via buffer overflow in Server Info to Valve - 1224 upvotes, $18000
  6. Potential pre-auth RCE on Twitter VPN to Twitter - 1085 upvotes, $20160
  7. Confidential data of users and limited metadata of programs and reports accessible via GraphQL to HackerOne - 922 upvotes, $20000
  8. WannaCrypt “Killswitch” to HackerOne - 780 upvotes, $10000
  9. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 780 upvotes, $15000
  10. DoS on PayPal via web cache poisoning to PayPal - 767 upvotes, $9700
  11. Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies to Slack - 752 upvotes, $6500
  12. Remote Code Execution on www.semrush.com/my_reports on Logo upload to SEMrush - 745 upvotes, $10000
  13. Git flag injection - local file overwrite to remote code execution to GitLab - 737 upvotes, $12000
  14. Exfiltrate and mutate repository and project data through injected templated service to GitLab - 723 upvotes, $11000
  15. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 711 upvotes, $15000
  16. JumpCloud API Key leaked via Open Github Repository. to Starbucks - 688 upvotes, $4000
  17. SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database to Starbucks - 684 upvotes, $4000
  18. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 654 upvotes, $15000
  19. IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - 649 upvotes, $10500
  20. Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 643 upvotes, $4000
  21. SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent to TTS Bug Bounty - 640 upvotes, $2000
  22. Stored XSS on https://paypal.com/signin via cache poisoning to PayPal - 612 upvotes, $18900
  23. Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter to Uber - 603 upvotes, $6500
  24. Email address of any user can be queried on Report Invitation GraphQL type when username is known to HackerOne - 602 upvotes, $8500
  25. [phpobject in cookie] Remote shell/command execution to Pornhub - 589 upvotes, $20000
  26. Getting all the CD keys of any game to Valve - 589 upvotes, $20000
  27. Ability to reset password for account to Upserve - 589 upvotes, $3500
  28. Subdomain Takeover to Authentication bypass to Roblox - 587 upvotes, $2500
  29. Stored XSS in Wiki pages to GitLab - 582 upvotes, $4500
  30. Stored XSS on imgur profile to Imgur - 581 upvotes, $650
  31. Github Token Leaked publicly for https://github.sc-corp.net to Snapchat - 539 upvotes, $15000
  32. Local files could be overwritten in GitLab, leading to remote command execution to GitLab - 526 upvotes, $12000
  33. Privilege Escalation From user to SYSTEM via unauthenticated command execution to Ubiquiti Inc. - 526 upvotes, $16109
  34. The return of the < to Rockstar Games - 506 upvotes, $1000
  35. Shopify Stocky App OAuth Misconfiguration to Shopify - 501 upvotes, $5000
  36. RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ to Starbucks - 494 upvotes, $4000
  37. SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog to Razer - 493 upvotes, $2000
  38. Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ to Glassdoor - 483 upvotes, $1000
  39. Request smuggling on admin-official.line.me could lead to account takeover to LINE - 482 upvotes, $9000
  40. Customer private program can disclose email any users through invited via username to HackerOne - 480 upvotes, $7500
  41. [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure to Grab - 469 upvotes, $7500
  42. BAD Code ! to Paragon Initiative Enterprises - 457 upvotes, $0
  43. SSRF in Exchange leads to ROOT access in all instances to Shopify - 455 upvotes, $25000
  44. Password theft login.newrelic.com via Request Smuggling to New Relic - 455 upvotes, $3000
  45. Steal ALL collateral during liquidation by exploiting lack of validation in flip.kick to Maker Ecosystem Growth Holdings, Inc - 453 upvotes, $50000
  46. Able to Become Admin for Any LINE Official Account to LINE - 453 upvotes, $4750
  47. profile-picture name parameter with large value lead to DoS for other users and programs on the platform to HackerOne - 442 upvotes, $2500
  48. Reflected XSS in OAUTH2 login flow to LINE - 437 upvotes, $1989
  49. XSS in steam react chat client to Valve - 434 upvotes, $7500
  50. How the Bug stole hacking to HackerOne - 428 upvotes, $0
  51. XSS vulnerable parameter in a location hash to Slack - 427 upvotes, $1100
  52. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 424 upvotes, $12000
  53. Open prod Jenkins instance to Snapchat - 414 upvotes, $15000
  54. Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message to Valve - 395 upvotes, $9000
  55. touch.mail.ru / e.mail.ru memory content disclosure to Mail.ru - 394 upvotes, $10000
  56. CRLF injection to Twitter - 394 upvotes, $2940
  57. Employee's GitHub Token Found In Travis CI Build Logs to Grammarly - 388 upvotes, $5000
  58. H1514 Server Side Template Injection in Return Magic email templates? to Shopify - 377 upvotes, $10000
  59. Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 377 upvotes, $3000
  60. Denial of service to WP-JSON API by cache poisoning the CORS allow origin header to Automattic - 374 upvotes, $550
  61. My Expense Report resulted in a Server-Side Request Forgery (SSRF) on Lyft to Lyft - 374 upvotes, $0
  62. Stored XSS Vulnerability to WordPress - 355 upvotes, $500
  63. Chained Bugs to Leak Victim's Uber's FB Oauth Token to Uber - 353 upvotes, $7500
  64. RCE on shared.mail.ru due to "widget" plugin to Mail.ru - 353 upvotes, $10000
  65. Account TakeOver at my.33slona.ru to Mail.ru - 352 upvotes, $1700
  66. Account TakeOver at my.33slona.ru to Mail.ru - 352 upvotes, $1700
  67. H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 348 upvotes, $13337
  68. JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions to GitLab - 342 upvotes, $12000
  69. Stored XSS in wordpress.com to Automattic - 342 upvotes, $650
  70. Bypass of GitLab CI runner slash fix in YAML validation to GitLab - 341 upvotes, $12000
  71. Github information leaked to SEMrush - 336 upvotes, $3000
  72. URL link spoofing to Slack - 336 upvotes, $250
  73. [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 335 upvotes, $4000
  74. SSRF & LFR via on city-mobil.ru to Mail.ru - 334 upvotes, $6000
  75. SQL Injection in report_xml.php through countryFilter[] parameter to Valve - 333 upvotes, $25000
  76. Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 333 upvotes, $7000
  77. Stored XSS in Private Message component (BuddyPress) to WordPress - 331 upvotes, $500
  78. Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg to Uber - 331 upvotes, $4000
  79. Web cache poisoning attack leads to user information and more to Postmates - 329 upvotes, $500
  80. Partial disclosure of report activity through new "Export as .zip" feature to HackerOne - 327 upvotes, $10000
  81. OTP token bypass in accessing user settings to Razer - 326 upvotes, $1000
  82. Connection informaton is sent to a third-party service to NordVPN - 321 upvotes, $7777
  83. HTML-injection in PDF-export leads to LFI to Visma Public - 321 upvotes, $500
  84. CRLF Injection in urllib to Python (IBB) - 321 upvotes, $1000
  85. Arbitrary file read via ffmpeg HLS parser at https://www.flickr.com/photos/upload to Flickr - 320 upvotes, $2000
  86. XSS while logging using Google to Shopify - 315 upvotes, $1750
  87. Malformed .BMP file in Counter-Strike 1.6 may cause shellcode injection to Valve - 315 upvotes, $2000
  88. [windows10.hi-tech.mail.ru] Blind SQL Injection to Mail.ru - 314 upvotes, $5000
  89. [fleet.city-mobil.ru] Driver balance increasing to Mail.ru - 314 upvotes, $8000
  90. Server Side Request Forgery mitigation bypass to GitLab - 313 upvotes, $3500
  91. AWS bucket leading to iOS test build code and configuration exposure to Slack - 310 upvotes, $1500
  92. [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 310 upvotes, $1000
  93. [Razer Pay Mobile App] Broken access control allowing other user's bank account to be deleted to Razer - 310 upvotes, $1000
  94. [Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable to Twitter - 309 upvotes, $5040
  95. Reflected XSS to Badoo - 309 upvotes, $1000
  96. Heap overflow happen when receiving short length key from ssh server using ssh protocol 1 to PuTTY (European Commission - DIGIT) - 303 upvotes, $3645
  97. Full account takeover to Reverb.com - 298 upvotes, $800
  98. Account Takeover worki.ru to Mail.ru - 297 upvotes, $1700
  99. XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 293 upvotes, $4000
  100. TURN server allows TCP and UDP proxying to internal network, localhost and meta-data services to Slack - 288 upvotes, $3500

Back