Skip to content

Latest commit

 

History

History
64 lines (60 loc) · 6.36 KB

TOPQIWI.md

File metadata and controls

64 lines (60 loc) · 6.36 KB

Back

Top reports from QIWI program at HackerOne:

  1. account takeover https://qiwi.me - 101 upvotes, $750
  2. account takeover https://idea.qiwi.com/ - 83 upvotes, $300
  3. Обход комиссии на переводы - 52 upvotes, $1050
  4. XXE on ██████████ by bypassing WAF ████ - 46 upvotes, $5000
  5. [contact-sys.com] SQL Injection████ limit param - 43 upvotes, $250
  6. XML External Entity (XXE) in qiwi.com + waf bypass - 39 upvotes, $3137
  7. account takeover https://teamplay.qiwi.com - 37 upvotes, $500
  8. apache access.log leakage via long request on https://rapida.ru/ - 37 upvotes, $100
  9. [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN - 32 upvotes, $300
  10. [p2p.qiwi.com] nginx alias traversal - 31 upvotes, $150
  11. [qiwi.com] XSS on payment form - 28 upvotes, $550
  12. Обход комиссии при оплате картой - 25 upvotes, $1000
  13. [contact-sys.com] XSS /ajax/transfer/status trn param - 21 upvotes, $100
  14. [lk.contact-sys.com] LKlang Path Traversal - 20 upvotes, $150
  15. Обход комиссии на переводы - 19 upvotes, $1000
  16. [*.rocketbank.ru] Web Cache Deception & XSS - 19 upvotes, $200
  17. [id.rapida.ru] Full Path Disclosure - 19 upvotes, $50
  18. [qiwi.com] Oauth захват аккаунта - 17 upvotes, $950
  19. Возможность регистрации на сайте qiwi.com на любой номер телефона - 17 upvotes, $200
  20. Небезопасная схема выдачи номера карты QVC (возможно, также QVV и QVP) - 16 upvotes, $200
  21. [wallet.rapida.ru] XSS Cookie flashcookie - 16 upvotes, $100
  22. [sms.qiwi.ru] XSS via Request-URI - 15 upvotes, $100
  23. [ibank.qiwi.ru] XSS via Request-URI - 14 upvotes, $150
  24. Information disclosure on https://paycard.rapida.ru - 14 upvotes, $100
  25. https://fundl.qiwi.com CSRF на подтверждении sms - 14 upvotes, $100
  26. [contact-sys.com] XSS via Request-URI - 14 upvotes, $100
  27. Imformation Disclosure on id.rapida.ru - 13 upvotes, $100
  28. [qiwi.com] Information Disclosure - 12 upvotes, $150
  29. [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS - 11 upvotes, $150
  30. Nickname disclosure through web-chat - 11 upvotes, $150
  31. [vitrina.contact-sys.com] Full Path Disclosure - 11 upvotes, $100
  32. [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ - 10 upvotes, $1000
  33. [qiwi.com] .bash_history - 10 upvotes, $100
  34. [qiwi.me] No limits on image download requests - 9 upvotes, $100
  35. Раскрытие баланса на //kopilka.qiwi.com - 8 upvotes, $300
  36. [rubm.qiwi.com] Yui charts.swf XSS - 8 upvotes, $200
  37. Xss on billing - 8 upvotes, $200
  38. [XSS/3dsecure.qiwi.com] 3DSecure XSS - 7 upvotes, $250
  39. [ibank.qiwi.ru] UI Redressing via Request-URI - 6 upvotes, $150
  40. Stored xss in agent.qiwi.com - 6 upvotes, $100
  41. Open Redirect in meeting.qiwi.com - 6 upvotes, $100
  42. Каким-то образом получил чужой платеж к себе на копилку https://qiwi.me/undefined - 6 upvotes, $50
  43. Content Spoofing in mango.qiwi.com - 5 upvotes, $150
  44. Открытый доступ к корпоративным данным. - 3 upvotes, $500
  45. [wallet.rapida.ru] Mass SMS flood - 3 upvotes, $200
  46. [qiwi.com] Open Redirect - 3 upvotes, $150
  47. https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании - 1 upvotes, $500
  48. CRLF Injection [ishop.qiwi.com] - 1 upvotes, $250
  49. [ishop.qiwi.com] XSS + Misconfiguration - 1 upvotes, $200
  50. [qiwi.com] /oauth/confirm.action XSS - 1 upvotes, $100
  51. Session Cookie without HttpOnly and secure flag set - 1 upvotes, $100
  52. Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number - 1 upvotes, $0
  53. SSL Certificate on qiwi.com will expire soon. - 1 upvotes, $0
  54. [send.qiwi.ru] XSS at auth?login= - 0 upvotes, $200
  55. [static.qiwi.com] XSS proxy.html - 0 upvotes, $200
  56. XSS Reflected in test.qiwi.ru - 0 upvotes, $200
  57. Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails - 0 upvotes, $0

Back