It's your work: write it up how you want


Let's write

Create a writeup solo or invite your friends and start writing around your work. Show it off proudly with a variety of features to bring it to life.


Post a writeup

Sharing is caring..

..and knowledge is power! Share your knowledge & expertise and create a tutorial for others to learn from. Attach a challenge and get researchers involved!


Post a tutorial

Search & Find

Contributors


palant
Write-ups shared: 9

alyssa
Write-ups shared: 8

zseano
Write-ups shared: 6

Spazzyy
Write-ups shared: 5

twiceDi
Write-ups shared: 4

noob
Write-ups shared: 4

janijay007
Write-ups shared: 4

syntaxerror
Write-ups shared: 3

iamthere
Write-ups shared: 3

nikhil
Write-ups shared: 3

tomnomnom
Write-ups shared: 2

updateLap
Write-ups shared: 2

hateshape
Write-ups shared: 2

plenum
Write-ups shared: 2

ehsahil
Write-ups shared: 7

slawbra
Write-ups shared: 2

warlord3112
Write-ups shared: 2

dorkerdevil
Write-ups shared: 2

haxormad
Write-ups shared: 2

andrysec
Write-ups shared: 2

$5000 Apache /server-status page

Written by drs

Program: Unknown Rating: None set
View Writeup »

SQL Injections on [ Telkom Server Acess ]

Written by andrysec

Program: SQL Injections on [ Telkom Server Acess ] Rating: Critical
View Writeup »

SQL Injections on [ Telkom Server Acess ]

Written by andrysec

Program: SQL Injections on [ Telkom Server Acess ] Rating: Critical
View Writeup »

20k Server With Unrestricted Access

Written by Spazzyy

Program: [redacted] Rating:
Visit Writeup »

Long Journey to Google's Hof

Written by haxormad

Program: Google Rating: Low
Visit Writeup »

Infinite Loop story

Written by dorkerdevil

Program: [redacted] Rating: Low
Visit Writeup »

1500$ worth Deserialization vulnerability

Written by dorkerdevil

Program: [redacted] Rating: Critical
Visit Writeup »

test

Written by zseano

Program: test Rating: Critical
View Writeup »

OOB-XXE found in several bug bounty programs

Written by nikhil

Program: [redacted] Rating: Critical
Visit Writeup »

How I Hacking Oracle in 5 Minutes

Written by warlord3112

Program: Oracle Rating: Medium
Visit Writeup »

New technique to find Blind-XSS

Written by slawbra

Program: [redacted] Rating: High
Visit Writeup »

Privilege Escalation like a Boss

Written by janijay007

Program: [redacted] Rating: Medium
Visit Writeup »

Privilege Escalation like a Boss

Written by janijay007

Program: [redacted] Rating: Medium
Visit Writeup »

Self-XSS CSRF to Stored XSS

Written by slawbra

Program: [redacted] Rating: High
Visit Writeup »

Knowledge Sharers


zseano
Tutorials shared: 7

ehsahil
Tutorials shared: 5

hisxo
Tutorials shared: 1

haxormad
Tutorials shared: 1

R29k
Tutorials shared: 1

Tutorial Creator: zseano

Open URL Redirects

Open url redirects are simply urls like <a href="#">https://www.example.com/?go=https://www.google.com/</a>, which when visited will go from example.com -> google.com. Generally they are classed as low impact and some programs even list them as Out-of-scope and not accepted. So what can we do actually do with them? I posted this tu

Tutorial Creator: zseano

Indirect Object Reference (IDOR)

What is an Indirect Object Reference? An example of an IDOR would be to look at the following url: http://api.example.com/api/user/139349. If you can successfully enumerate the userid (in our case 139349) and retrieve another users' details, you'd have yourself a valid IDOR bug. IDORs usually are that simple, changing ids to another and see if it's

Tutorial Creator: zseano

Rate Limits

<p><img src="https://zseano.com/images/rate.png"></img></p> <br> <p>I don't think rate limits need an explanation, but for those scratching their head: Rate limits are designed to stop you from abusing a certain action/endpoint, for example logging in (brute forcing an account). When a rate limit occurs the user is sometimes either blo

Tutorial Creator: zseano

Cross Site Scripting (XSS)

<img src="https://www.zseano.com/images/xss_1.png" onclick="alert('Thank you for the bounty. Your taxi driver will be with you shortly')"></img> <br><br> <font color="red">Before we begin:</font> If you don't already I highly recommend checking out <a href="http://brutelogic.com.br/blog/" target="_blank">BruteLogic's Blog</a> for great in-depth t

Tutorial Creator: zseano

Cross Site Request Forgery (CSRF)

<p>Cross Site Request Forgery (CSRF) tokens are designed to stop a hidden FORM POST on evil.com from being submitted secretly to hijack your account on example.com. Websites such as Facebook implement this by using something called "fb_dtsg", and the general purpose is you can only do an action (such as update your email) if a valid "fb_dtsg" value

Tutorial Creator: zseano

Recon & discovery

If you remember my <a href="https://zseano.com/tutorials/6.html" target="_blank">earlier tutorial</a> on recon, you'll remember it was pretty basic. In this tutorial I intend on going into more detail about <b>my</b> methodology on how I approach a bugbounty target. Let's cut the chit chat and let's get straight to it! <b>Note:</b> Never test again

Tutorial Creator: haxormad

Recon & discovery

This tutorial was posted on https://www.secjuice.com/idor-insecure-direct-object-reference-definition/

Tutorial Creator: ehsahil

External Writeup

This tutorial was posted on https://medium.com/ehsahil/recon-my-way-82b7e5f62e21

Looking for something?

We have 6,174 disclosed issues from HackerOne

Keyword:

Top Disclosers


sp1d3rs
Bugs Found: 361
Bugs Disclosed: 53

bl4de
Bugs Found: 86
Bugs Disclosed: 37

cablej
Bugs Found: 274
Bugs Disclosed: 25

zephrfish
Bugs Found: 101
Bugs Disclosed: 22

anshumanbh
Bugs Found: 69
Bugs Disclosed: 20

alyssa
Bugs Found: 136
Bugs Disclosed: 17

babayaga
Bugs Found: 55
Bugs Disclosed: 17

rootxharsh
Bugs Found: 235
Bugs Disclosed: 15

tungpun
Bugs Found: 44
Bugs Disclosed: 13

juliosoares
Bugs Found: 142
Bugs Disclosed: 11

michiel
Bugs Found: 61
Bugs Disclosed: 11

rijalrojan
Bugs Found: 97
Bugs Disclosed: 10

defmax
Bugs Found: 136
Bugs Disclosed: 10

d1pakda5
Bugs Found: 106
Bugs Disclosed: 9

spam404
Bugs Found: 240
Bugs Disclosed: 8

HTTP PUT method is enabled ratelimited.me

@ Submitted to ratelimited by codeslayer137
Bug Type: None supplied

Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the......

Rating: Critical


Response program can display "eligble for bounty" in scope area in program policy

@ Submitted to security by kunal94
Bug Type: Business Logic Errors

Hello Hackerone Team and @jobert First of all, Happy new year to everyone. #Summary Response program can also display "eligible for bounty" assets on program policy. It's basically causing......

Rating: Low


Local privilege escalation bug using Keybase redirector on macOS

@ Submitted to keybase by votava
Bug Type: Privilege Escalation

There's a local privilege escalation bug in the latest version of Keybase for macOS. The issue is in the process of launching `keybase-redirector`. The process works as follows: 1. Copy......

Rating: High


macOS privilege escalation via keybase install

@ Submitted to keybase by mirchr
Bug Type: Privilege Escalation

# Environment OS: macOS Mojave 10.14.1 Kernel: Darwin Kernel Version 18.2.0 keybase version 2.12.2-20181218171841+29273f4110 # Steps to reproduce Note: All steps are executed as an unprivileged......

Rating: Medium


Privilege Escalation through Keybase Installer via Helper

@ Submitted to keybase by jinmo123
Bug Type: Privilege Escalation

Keybase.app is bundled with the components installer named KeybaseInstaller.app. When `--install-app-bundle --source-path <src> --app-path <dst>` is given to installer, KBAppBundle.m......

Rating: High


Disclosure of h1 challenges name through the calendar

@ Submitted to security by rijalrojan
Bug Type: Information Disclosure

Summary: It seems like the Calendar somehow grabs the name of the target for a h1 challenge even though the target name is not public. Description: `h1challenges` do not disclose the name......

Rating: Low


Privilege Escalation via Keybase Helper (incomplete security fix)

@ Submitted to keybase by 0xcccc
Bug Type: Privilege Escalation

In the previous [report](https://hackerone.com/reports/397478), about the privileged helper lacks of validation so any applications can abuse it to gain root privilege. But the security fix is......

Rating: High


XXE on https://duckduckgo.com

@ Submitted to duckduckgo by mik317
Bug Type: XML External Entities (XXE)

An XML External Entity (XXE) injection vulnerability was discovered in the <code>x.js</code> endpoint on <a title="https://duckduckgo.com"......

Rating: Critical


Information Exposure Through an Error Message at news.starbucks.com

@ Submitted to starbucks by seytan6161
Bug Type: Information Exposure Through an Error Message

I've discovered Information Exposure Through an Error Message on your system POC link: https://news.starbucks.com/cms/index.php?/cp/login/forgotten_password_form=http://evil.com/?id=test-test ......

Rating: Medium


Remote attacker can impersonate Social users via ActivityPub API

@ Submitted to nextcloud by tomk
Bug Type: Deserialization of Untrusted Data

Hi there! First up I want to acknowledge that Social may not be in scope. I emailed [email protected], which pointed me here, and I wasn't sure whether to just put it in a GitHub issue. In any......

Rating: No rating


Missing Protection Mechanism in Mail Servers allows malicious user to use staff.ratelimited.me email could lead to identity theft.

@ Submitted to ratelimited by sxw
Bug Type: Violation of Secure Design Principles

Hello ratelimited, I'm not really sure how your mail servers being configured but i guess there is a mis-configuration or missing protection mechanism that fails to verify if the email that is going......

Rating: High


Open redirect vulnerability in index.php

@ Submitted to security by yoyobabaji
Bug Type: Open Redirect

Summary: `Hello Team i would like to report an open redirect on hackerone.com with reference to report #320376. In report #320376 it shows vulnerability i mitigated but still i am able to......

Rating: None


Confidential data of users and limited metadata of programs and reports accessible via GraphQL

@ Submitted to security by yashrs
Bug Type: Information Disclosure

On January 31st, 2019 at 7:16pm PST, HackerOne confirmed that two reporters were able to query confidential data through a GraphQL endpoint. This vulnerability was introduced on December 17th, 2018......

Rating: Critical


Prototype pollution attack (upmerge)

@ Submitted to nodejs-ecosystem by dienpv
Bug Type: None supplied

Hi team, I would like to report a prototype pollution vulnerability in upmerge that allows an attacker to inject properties on Object.prototype. # Module module name: upmerge version: 0.1.7......

Rating: Medium


CRLF injection on https://buildbot.mariadb.org

@ Submitted to mariadb by mik317
Bug Type: CRLF Injection

A CRLF (new line) injection vulnerability has been discovered in the Buildbot.net software and reported to us. We have forwarded this to the Buildbot developers which coordinated a fix release and......

Rating: Medium


ssl cookie without secure flag set

@ Submitted to mailru by hossammesbah21
Bug Type: Violation of Secure Design Principles

Missed Secure flag for health.mail.ru session cookie was reported. Currently, health.mail.ru does not provide user&#39;s access to any protected information and does not rely on session cookies......

Rating: None


Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day

@ Submitted to zomato by dertajora
Bug Type: Business Logic Errors

Summary: Using this vulnerability, a user can use his account to claim Zomato Gold benefit several times in the same restaurant within one day. Description: Based on Zomato Gold terms and......

Rating: Low


[██████] Cross-origin resource sharing misconfiguration (CORS)

@ Submitted to deptofdefense by jarvis7
Bug Type: Improper Access Control - Generic

Hi! In this report I want to describe High level bug which can seriously compromise a user account. If I am authorize on this site, I can steal user's sessions, some personal information or do some......

Rating: High


Проверяем принадлеженость email и номера телефона к определенному юзеру / CSRF на смену номера для некоторых пользователей

@ Submitted to vkcom by povargek
Bug Type: Cross-Site Request Forgery (CSRF)

Проблема генерации хеша. CSRF на смену номера имея фамилию и логин юзера, возможность сопоставить номер и email......

Rating: High


CSRF на загрузку изображения Pandao

@ Submitted to mailru by xalerafera
Bug Type: Cross-Site Request Forgery (CSRF)

CSRF vulnerability in avatar upload AJAX method for pandao.ru Pandao.ru is not currently covered by main bug bounty and general CSRF/XSS vulnerabilities are accepted without bounty. ...

Rating: Medium


XXE on https://duckduckgo.com

@ Submitted to duckduckgo by mik317
Bug Type: XML External Entities (XXE)

Summary: Hi DuckDuckGo team, I'm not sure of this vulnerability, but I'd like to try my luck; The `https://duckduckgo.com` domain is vulnerable against an `XXE injection` in the `/x.js` endpoint,......

Rating: Critical


Secure Pages Include Mixed Content Issue

@ Submitted to eobotcom by hamad_iheb
Bug Type: Violation of Secure Design Principles

Description The page includes mixed content, that is content accessed via HTTP instead of HTTPS. Steps 1) Enter these two URLs * https://www.eobot.com/fee * https://www.eobot.com/ad ......

Rating: None


Bypass GraphQL rate limit by abusing negative cost queries

@ Submitted to shopify by emitrani
Bug Type: Business Logic Errors

Hi security team, While looking into the graphql app I noticed an interesting implementation where each app has a bucket of query cost they are allowed to used in a given time with a certain refresh......

Rating: Low


Open Redirect on central.uber.com allows for account takeover

@ Submitted to uber by ngalog
Bug Type: Improper Authentication - Generic

An error in our OAuth2 flow for <code>central.uber.com</code> allowed an attacker to leverage an open redirect that allowed for a full account takeover. When logging into......

Rating: High


IDOR in activateFuelCard id allows bulk lookup of driver uuids

@ Submitted to uber by cablej
Bug Type: Insecure Direct Object Reference (IDOR)

Due to an IDOR in the <code>activateFuelCard</code> endpoint, an attacker could enumerate driver UUIDs. When given a sequential card ID number, the endpoint returned a driver’s UUID......

Rating: Low