Explore the world of bugbounties


A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.



Recent Activity..


  Challenge Answers have been revealed and new challenges added!

Our second round of challenges has ended! Did you manage to find the answer to each of them? No worries if not, we have now revealed the answers to all of the challenges and added 4 new challenges for you to try with even more on the way! Enjoy :)


@mridulsg created a topic: How to get started in Secure Code Review? — posted on 2018-11-15

Any methodology and tools to perform secure code review.... (read more)


@janijay007 shared a blog post: Privilege Escalation like a Boss — posted on 2018-11-14

@janijay007 shared a blog post: Privilege Escalation like a Boss — posted on 2018-11-14

@danila_xawdxawdx disclosed Shell upload in partner service on mailru

<p>Shell code upload (RCE) vulnerability in partner service provided as an additional functionality withing mail.ru branded service.</p> <p>Partner services are not covered by bug bounty program, the bounty was awarded due to potential problem criticality.</p> ... (read more)


@zseano created a topic: Hey 0xteknogeek - we're waiting — posted on 2018-11-13

Waiting for this mobile tutorial he's due to release.. testing mobile apps is fun but can be a pain. Eager to learn more :)... (read more)


  @rakeshmane created a challenge: Can you XSS when redirecting?. Can you solve it?!

You'll have to somehow get XSS. May be by stopping something? May be by abusing unexpected behaviour of browser? May be by fuzzing? All upto you. Note : Intended solution works in Firefox only. Solutions working on outdated browsers will not be accepted.... (read more)


@dr_dragon disclosed Reflected XSS on $Any$.myshopify.com/admin on shopify

# Description : Hi, I have found a reflected cross site scripting vulnerability in <any>.myshopify.com/admin through return_url parameter . # Step to reproduce : 1-Go to https://<Any>.myshopify.com/admin/authenticate?return_url=javascript:alert(100)// 2-Click on reload this page 3-Xss alert...... (read more)


@aelazari created a topic: Got RE experience? - Help academic research and get $40 — posted on 2018-11-13

Researchers at the University of Maryland are looking for people with software reverse engineering experience to participate in an online interview to discuss their process and a recent program they reverse engineered. The goal of this study is to understand the way reverse engineers think, how they...... (read more)


@iamthere shared a blog post: 3 Minutes & XSS! — posted on 2018-11-09

@nuke11 disclosed Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone on tts

Hey there, while signing for new api key, i have found two bugs that is unusual and make anyone to send crafted or customised email to someone. Bug 1: - low 1. Go to https://api.data.gov/signup/ 2. Enter first and last name , then enter email id and get api key. _Bug: You can use the same email id...... (read more)


  @palant created a challenge: Try out my Screenshotter.PRO browser extension!. Can you solve it?!

Did you know that a browser extension to capture websites can be written with little to no knowledge? I've done it and it works great! By the way, maybe you could help me with a serious problem. Some websites can tell what emails I have in my Gmail account! Is that a browser bug? ...... (read more)


@slawbra shared a blog post: Self-XSS CSRF to Stored XSS — posted on 2018-11-09

@nullelite disclosed Hack The World 2017 Top 2 Bonus on uber

<p>Thanks for your participation in Hack the World 2017, <a href="/nutellite">@nutellite</a>!</p> ... (read more)



@ehsahil shared a blog post: Getting Access to 25k employees details — posted on 2018-11-07

@cablej disclosed No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts on uber

<p>A lack of rate limiting on the &quot;/confirm&quot; endpoint made it possible for an attacker to add themselves to arbitrary business.uber.com accounts by brute forcing confirmation codes. If they were able to successfully brute force the correct confirmation code, this would allow an...... (read more)


  @harisec created a challenge: An unusual XSS. Can you solve it?!

This challenge was inspired (and reproduced exactly) by a real-life XSS I've recently exploited in a private bug bounty program. It requires some out of the box thinking, it's not an easy challenge. The goal of this challenge is to alert using Google Chrome or Firefox.... (read more)


@ehsahil shared a blog post: Basic android security test lab part-1 — posted on 2018-11-07

@djangohack disclosed Delay of arrears notification allows Riders to take multiple rides without paying on uber

<p>Due to a delay in how Uber prompts accounts that have gone into arrears (having an outstanding balance), it was possible to take rides without paying and without the account being blocked from booking new rides. This delay was a short-term issue, not a security vulnerability, and <a...... (read more)


@ehsahil shared a blog post: Basic Penetration testing lab-1 — posted on 2018-11-07

@ehsahil shared a blog post: Basic iOS apps security testing lab-1 — posted on 2018-11-07

@indcyberjoker disclosed SMS/Call spamming due to truncated phone number on uber

<p>Due to improperly validation of phone numbers during the Android Rider sign-up, it was possible to spam a phone number with verification calls and texts. By inputting an 11 or 12 digit phone number, it would be truncated to 10 digits, resulting in the same number from varying inputs.</p> ... (read more)


  @rakeshmane created a challenge: Hack The Admin Panel Challenge. Can you solve it?!

Can you exploit the XSS vulnerability present in a hidden feature to gain access of admin panel? Note: Admin prefers clicking. He doesn't like moving his mouse here and there.... (read more)


@kiraakboi created a topic: BUG — posted on 2018-11-06

BUG... (read more)


@4lemon disclosed Open redirect on rush.uber.com, business.uber.com, and help.uber.com on uber

<p><a href="/4lemon">@4lemon</a> reported open redirects on rush.uber.com, business.uber.com, and help.uber.com which would have made it possible for an attacker to redirect a victim through to another arbitrary site without user interaction.</p> ... (read more)




@mdv disclosed Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains on uber

<p>When creating new tags on Tealium, the application did not check that the user creating the tag had authorized as the same account they were creating a tag for. It was possible for an attacker to inject arbitrary content into a web page using the <code>utag.js</code> tag. Depending...... (read more)


  @structhack created a challenge: Steal teh token!. Can you solve it?!

Can you steal the token?... (read more)


@hateshape shared a blog post: How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL — posted on 2018-11-02

@nightwatch-cybersecurity disclosed Privacy policy contains hardcoded link using unencrypted HTTP on uber

<p>The link to Uber’s privacy policy was using the unencrypted <code>http://</code> scheme, making it possible for an attacker with the ability to Man-in-The-Middle (MiTM) traffic. This would allow them to replace normal responses with malicious content such as a phishing page....... (read more)


@kangara created a topic: Automation -Burp — posted on 2018-11-01

what's your favorite burp extension /plugin ...?... (read more)


@plenum created a topic: Facebook oauth callback link leaked to third party — posted on 2018-11-01

Hello, The flow is as follows 1- click login with facebook 2- redirect to facebook 3-facebook response with http://accounts.redacted.net/?oauthcallback=TOKEN 4-login successful In step 3 the site is leaking the oauth redirect link through referrer to Google, I have tried to copy paste the link in...... (read more)


@fady_othman disclosed Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/ on uber

<p>The base parameter of <code>/oidauth/prompt</code> on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made...... (read more)


  @palant created a challenge: A properly secured parameter. Can you solve it?!

We recently learned that the message parameter on this page was vulnerable to XSS. While we couldn't afford changing this page, we configured our WAF to prevent exploitation. So it's all fine now, move along!... (read more)


@zseano created a topic: What do you have on your toast? — posted on 2018-10-30

For those who didn't have the privilege of being interviewed by BugBountyForum, I want to know: What do you have on your toast? :D ... (read more)


@fady_othman disclosed Reflected XSS on multiple uberinternal.com domains on uber

<p>The base parameter of <code>/oidauth/prompt</code> on multiple uberinternal.com subdomains was not sanitized before being reflected into the page body, making it vulnerable to reflected XSS. Additionally, these pages were affected by a clickjacking vulnerability that made...... (read more)


@zseano created a topic: Your fav swag? — posted on 2018-10-30

As the title says, what's your fav swag you've received and from who? Which program is giving away the best swag? :) Mine has to be the Wireless headphones from HackerOnes first ever live event in Las Vegas, H1-702. I believe it was Zenefits to gift them, and of course my HackerOne hoodie, especially...... (read more)


@zseano created a topic: Site only allows for .zip and .txt - thoughts on bypassing? — posted on 2018-10-30

I have this site which allows me to only upload .zip & .txt. Tried everything to bypass or cause weird behaviour.. however the only thing I can do is get it to say "No such upload" when switching content types. Thoughts on what to try? Here's an example of the request: ...... (read more)


@juliocesar disclosed Open redirect on https://blog.fuzzing-project.org on hannob

Summary: There is an Open Redirect on https://blog.fuzzing-project.org/exit.php?url= due to the application not checking the value passed by the user to the "url" parameter. Description: Unchecked redirects occur when an application redirects to a destination controlled by...... (read more)


  @ebelties created a challenge: Our redirect blacklist is top-notch, right?. Can you solve it?!

We built a secure redirect system, to redirect from our website to our application. There is not a way to bypass this, right?... (read more)


@janijay007 shared a blog post: How I found IDOR on Twitter’s Acquisition – Mopub.com — posted on 2018-10-15

@jaimaakali disclosed Vulnerability Report - Missing Certificate Authority Authorization rule on mariadb

<p>A missing DNS Certificate Authority Authorization rule was reported for our main domain. We resolved this by adding the relevant CAA rules in our DNS configuration.</p> ... (read more)


@zseano created a topic: Maintenance ongoing -- UPDATED! — posted on 2018-10-10

Hi all! You may notice we have a *brand new* explore page with access to detailed information around disclosed issues and programs. If you haven't already, go check it out! You also may notice we have two new forums: Mobile Testing and Platform Discussion. I renamed the General Discussion to...... (read more)


@noob shared a blog post: Escalating Low Severity Bugs To High Severity — posted on 2018-10-07

@heeeeen disclosed Bypass User Interaction to initiate a VoIP call to Another User on vkcom

<p>Initialization a call by a third-party application. </p> ... (read more)


  @palant created a challenge: Exploiting a static page. Can you solve it?!

This is a static page, no server side involved. So looking for XSS vulnerabilities should be pointless, right?... (read more)


@noob shared a blog post: XSS & CSRF = Boom! — posted on 2018-10-07

@danila_xawdxawdx disclosed Stored Blind XSS on mailru

<p>Blind XSS via support.my.com request ticket</p> <p>kayako.support.my.com is not covered with bug bounty, the bounty was awarded because because lootdog.io users were potentially affected.</p> ... (read more)




@danila_xawdxawdx disclosed XSS on https://www.delivery-club.ru/sd/test_330933/info/ on mailru

<p>Stored XSS on <a href="/redirect?signature=6299be1121dee944e3d641c147fd631378069229&amp;url=http%3A%2F%2Fwww.delivery-club.ru" target="_blank" rel="nofollow noopener noreferrer"><span>www.delivery-club.ru</span><i...... (read more)


  @noob created a challenge: Can you find the flag via SQL injection?. Can you solve it?!

The form is vulnerable to SQL injection and there's a flag inside the database waiting for you. Using ONLY union based injection, can you retrieve it?... (read more)


@palant shared a blog post: Master password in Firefox or Thunderbird? Do not bother! — posted on 2018-10-03

@danila_xawdxawdx disclosed CSRF на покупку товара https://lootdog.io/ on mailru

<p>CSRF vulnerability for item buy action.</p> <p>On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty.</p> ... (read more)


@palant shared a blog post: More Last Pass security vulnerabilities — posted on 2018-10-03

@djacint created a topic: Machine learning applied to bug bounties — posted on 2018-09-30

Anyone fancy brainstorming some ideas around using machine learning to exploit web applications? Been doing some work and would love to discuss/share ideas around this topic.... (read more)


@danila_xawdxawdx disclosed CSRF on lootdog.io on mailru

<p>CSRF vulnerability for phone/email change action.</p> <p>On the time of reporting, lootdog.io clientside vulnerabilities were not covered with bug bounty.</p> ... (read more)


  @filedescriptor created a challenge: This strict URL filter should prevent XSS, right?. Can you solve it?!

This one is pretty simple. One parameter is vulnerable, ?url=. Can you get XSS to execute?... (read more)


@zseano created a topic: Your new profile! — posted on 2018-09-25

We just launched our new profile layout, go ahead and check it out! See a live demo: https://www.bugbountynotes.com/user/zseano - you can modify all settings in your account settings. More updates to come!... (read more)


@danila_xawdxawdx disclosed XSS on https://www.delivery-club.ru on mailru

<p>Reflected XSS via GET paramters.</p> <p>On the time of reporting, XSS vulnerabilites of delivery-club.ru are not covered with bug bounty.</p> ... (read more)


@x1m shared a blog post: Persistent Cross-Site Scripting in default Laravel installation — posted on 2018-09-25

@NateTheRiver created a topic: Recommended books to read? — posted on 2018-09-24

Hello, community! I am looking for some interesting books to read in my free time. (Public transport or so) I already follow a bunch of online sources, but not every author is publishing his knowledge for free on web. I already have: Attacking network protocols from James Forshaw and probably will...... (read more)


@danila_xawdxawdx disclosed Reflected XSS on https://www.delivery-club.ru/ on mailru

<p>Reflected XSS via GET paramters.</p> <p>On the time of reporting, XSS vulnerabilites of delivery-club.ru are not covered with bug bounty.</p> ... (read more)


  @zseano created a challenge: Blind testing - debug mode. Can you solve it?!

This one will require a bit of thinking. It's designed to be a complete blackbox so you have no idea what it's looking for but using information on the page and basic understanding of HTTP requests you should be able to work it out.

The aim of this challenge is to execute XSS via [something]...... (read more)


@bugdiscloseguy shared a blog post: Hacking JSON Web Token (JWT) — posted on 2018-09-23

@danila_xawdxawdx disclosed IDOR on mcs.mail.ru on mailru

<p>CSRF tokens were static, CSRF token for arbitrary user&#39;s account can be obtained.<br> No direct security implications were found, since token is transmitted in request headers and can not be sent crossite, but using static tokens was considered as a bad security practice.</p>...... (read more)


@vestige created a topic: Api key in android manifest — posted on 2018-09-20

Hey mate, I debug a apk file and in manifest I found fabric api key. If I'm not wrong api key is used for authentication. Now how to exploit this api key?... (read more)


@Neolex created a topic: tool or technique to sort valid subdomains — posted on 2018-09-19

Hello ! I have a list of subdomains for a particular domain, I gathered subdomains from sublist3r,virustotal,etc. I would like to know if you know a tool to sort valid domains from this list because a lot of these subdomains don't point to anything... I did a little script that follow redirection and...... (read more)


@lincoln9932 disclosed Раскрытие серии/номера паспорта и снилс пользователя lootdog.io on mailru

<p>Passport data is reflected back to user and can be accessed in the case of account or session compromisation.</p> <p>Now passport information is not stored by lootdog.io after validation and can not be accessed by user.</p> ... (read more)


  @zseano created a challenge: Can you bypass the Open URL redirect filter?. Can you solve it?!

Try not to overthink this one. Even though a website sometimes tell you how a function SHOULD function, sometimes it doesn't always do that. Look at what request is being sent, and can anything be done with that parameter?... (read more)



@ph0b0s disclosed Reflected XSS in delivery-club.ru on mailru

<p>Reflected XSS via GET argument.</p> <p>On the time of reporting, XSS in delivery-club.ru are not covered with bug bounty program.</p> ... (read more)


@twiceDi shared a blog post: When brute force prevention can turn in DoS — posted on 2018-09-18

@twiceDi shared a blog post: Implementing secure CORS on Tomcat — posted on 2018-09-18

@bobrov disclosed [rm.mail.ru] Request-Path XSS on mailru

<p>Reflected XSS via GET paramters.</p> <p>rm.mail.ru is not covered by bug bounty program.</p> ... (read more)


  @zseano created a challenge: There's cross site request forgery (CSRF) protection, but how good is it?. Can you solve it?!

Note: Use a keen eye on this challenge to notice what's happening

Our admin panel was hacked because someone discovered a way to force a request to be sent when we visited a malicious website. I got John onto it and he added CSRF protection, and even did some checks to...... (read more)



@bobrov disclosed [moba.my.com] phpinfo, logs on mailru

<p>PHP info and fragment of access logs were available</p> ... (read more)



@alyssa shared a blog post: Reconnaissance to a quick P1 — posted on 2018-09-16

@akop07 disclosed XSS in e.mail.ru on mailru

<p>XSS via dom clobbering on message reply composing</p> ... (read more)


  @zseano created a challenge: This developer didn't realise people could view the HTML source. What can you find?. Can you solve it?!

Note: This challenge just requires you to have a keen eye. Look carefully!

Firstly, this developer hid his admin panel at a random subdomain he didn't think anyone could find. Because of this thinking (didn't think anyone would find it), the dev was kind of sloppy with how...... (read more)



@rootbakar disclosed Possible Take Over Subdomain For Inbound Emails on khanacademy

Hello KhanAcademy Security Team, I'm rootbakar, The researcher identified that the affected url points to sendgrid.net, via a DNS CNAME record. As a result of this an attacker could potentially initate a subdomain take over by registering the subdomain sendgrid.khanacademy.org on sendgrid and...... (read more)


@blastoff5 created a topic: Help with cashe poisoning — posted on 2018-09-15

Hi, everyone, I see that this is first question on BugHelp and I want to thank zseano for making it possible and wish you good luck. So I was reading Practical Web Cache Poisoning written by @albinowax and thought I try to do some cashe poisoning. On this webapp that I was testing Param Miner found...... (read more)


@djacint created a topic: Am I late to the party? — posted on 2018-09-15

Hi all, I see there are already users in this forum which is great. Hope to share and learn a lot in a coming times!... (read more)


@oreamnos disclosed SQL injection in Serendipity (serendipity_fetchComments) on hannob

<p>Bug in upstream Serendipity software, got fixed in version 2.1.3.</p> <p>The impact is limited, as it requires a backend login. Still it&#39;s a great finding and many thanks to the reporter.</p> ... (read more)


  @zseano created a challenge: Find the vulnerable parameter and try beat the XSS filter!. Can you solve it?!

I couldn't use the traditional methods of stopping XSS because of the way my application works. Because of this i've had to create a "strict" filter to stop malicious attackers and help protect my users. I'm 100% sure you can't beat this filter! Try find the vulnerable parameter(s) and then see if you...... (read more)


@syntaxerror shared a blog post: How I found Reflective XSS in Yahoo Subdomain — posted on 2018-09-15

@oreamnos disclosed Reflected Cross-Site Scripting in Serendipity (serendipity.SetCookie) on hannob

 Summary The *Smarty* template responsible of creating *JavaScript* snippets assigning cookies to users is during sorting of entries in the administration interface is affected by a reflected cross-site scripting. Description In `templates/2k11/admin/entries.inc.tpl`, the following code is...... (read more)


@amans created a topic: Hello Everyone! — posted on 2018-09-14

Hello Everyone! I believe this is the 3rd post of this Forum and i wish this forum rise and special thanks to zseano for creating this initiative. I hope everyone will post their experiences and creativity of their bug bounties. Regards, Aman... (read more)


@zseano shared a blog post: How re-signing up for an account lead to account takeover — posted on 2018-09-14

@oreamnos disclosed Open redirect in Serendipity (exit.php) on hannob

Summary Serendipity contains a script named `exit.php` that can be directly accessed. When crafting an hyperlink pointing to this page with the parameter `url` containing a base64-encoded URL, it will redirect the user to this URL.  Description The file `exit.php` contains the following...... (read more)


@oreamnos disclosed SSRF in rompager-check on hannob

Summary The script `rompager.php` does not restrict which hosts can be requested. Thereby, an attacker can send HTTP requests to localhost and other servers of the same local network segment, on port 80 and 7547. Description In `rompager.php`, the value of `CURLOPT_URL` is fully controlled: ...... (read more)