Search & Find


Post a writeup

Contributors


palant
Write-ups shared: 9

alyssa
Write-ups shared: 8

zseano
Write-ups shared: 6

Spazzyy
Write-ups shared: 5

twiceDi
Write-ups shared: 4

noob
Write-ups shared: 4

janijay007
Write-ups shared: 4

syntaxerror
Write-ups shared: 3

iamthere
Write-ups shared: 3

nikhil
Write-ups shared: 3

tomnomnom
Write-ups shared: 2

updateLap
Write-ups shared: 2

hateshape
Write-ups shared: 2

plenum
Write-ups shared: 2

ehsahil
Write-ups shared: 7

slawbra
Write-ups shared: 2

warlord3112
Write-ups shared: 2

dorkerdevil
Write-ups shared: 2

haxormad
Write-ups shared: 2

andrysec
Write-ups shared: 2

What is the most affordable transcription service for digital recordings?

Written by alvabenton

Program: You can find affordable transcription services are online. I occasionally use online services as they are cheap and hassle-free. You can upload all the flies and get the transcripts delivered as you wish. It is much better than using any translation service nearby. For my paper, in addition to the notes, I recorded my seminars and conferences on my phone for references. But never used them as I hate spending my time skipping through useless stuff. I end up I am searching for the topics. It was quick but nothing compares to subject knowledge of experts. I was frustrated with the digital records that I couldn’t use. That when I learned about Online transcription services through my friend. He recommended a local service his sister was using at that time. But the cost was to transcribe high for all my recordings. Also, I must wait for a week or so. That is when I searched online and found there are offers for bulk orders. I found it much affordable and very helpful to sort out my notes. Believe me, text notes are way better than any video or audio. You can find many agencies and freelancer who are available for an easy price. I occasionally pile up my files and send to Transcription Services, one I have been using for years now. They are cheap and reliable at any time of year. There are offers too that will cut down your budget. Here is the link to the website.TranscriptionNow.com Rating: Medium
Visit Writeup »

$5000 Apache /server-status page

Written by drs

Program: Unknown Rating: None set
View Writeup »

SQL Injections on [ Telkom Server Acess ]

Written by andrysec

Program: SQL Injections on [ Telkom Server Acess ] Rating: Critical
View Writeup »

SQL Injections on [ Telkom Server Acess ]

Written by andrysec

Program: SQL Injections on [ Telkom Server Acess ] Rating: Critical
View Writeup »

20k Server With Unrestricted Access

Written by Spazzyy

Program: [redacted] Rating:
Visit Writeup »

Long Journey to Google's Hof

Written by haxormad

Program: Google Rating: Low
Visit Writeup »

Infinite Loop story

Written by dorkerdevil

Program: [redacted] Rating: Low
Visit Writeup »

1500$ worth Deserialization vulnerability

Written by dorkerdevil

Program: [redacted] Rating: Critical
Visit Writeup »

test

Written by zseano

Program: test Rating: Critical
View Writeup »

OOB-XXE found in several bug bounty programs

Written by nikhil

Program: [redacted] Rating: Critical
Visit Writeup »

How I Hacking Oracle in 5 Minutes

Written by warlord3112

Program: Oracle Rating: Medium
Visit Writeup »

Looking for something?

We have 6,846 disclosed issues from HackerOne

Keyword:

Top Disclosers


sp1d3rs
Bugs Found: 361
Bugs Disclosed: 53

bl4de
Bugs Found: 86
Bugs Disclosed: 37

cablej
Bugs Found: 274
Bugs Disclosed: 25

zephrfish
Bugs Found: 101
Bugs Disclosed: 22

anshumanbh
Bugs Found: 69
Bugs Disclosed: 20

alyssa
Bugs Found: 136
Bugs Disclosed: 17

babayaga
Bugs Found: 55
Bugs Disclosed: 17

rootxharsh
Bugs Found: 235
Bugs Disclosed: 15

tungpun
Bugs Found: 44
Bugs Disclosed: 13

juliosoares
Bugs Found: 142
Bugs Disclosed: 11

michiel
Bugs Found: 61
Bugs Disclosed: 11

rijalrojan
Bugs Found: 97
Bugs Disclosed: 10

defmax
Bugs Found: 136
Bugs Disclosed: 10

d1pakda5
Bugs Found: 106
Bugs Disclosed: 9

spam404
Bugs Found: 240
Bugs Disclosed: 8

Remote Code Execution through Deserialization Attack in OwnBackup app.

@ Submitted to owncloud by q3rv0
Bug Type: Deserialization of Untrusted Data

I found a deserialization vulnerability in the [OwnBackup](https://marketplace.owncloud.com/apps/ownbackup) app, this vulnerability allows to execute remote code in the server. An administrator user......


Rating: Critical | This issue took 0 Day and 12 hours to fix

Stored XSS @ /engage/<project_slug>

@ Submitted to weblate by lgian
Bug Type: Cross-site Scripting (XSS) - Stored

Description The vulnerability concerns a Stored XSS, while it is currently (to the best of my knowledge) not exploitable due to limitations stated below. I thought that the issue is worth reporting......


Rating: Medium | This issue took 0 Day and 0 hours to fix

RCE on █████ via CVE-2017-10271

@ Submitted to deptofdefense by erbbysam
Bug Type: Code Injection

Summary: Happy Friday! The server at `██████` is vulnerable to CVE-2017-10271 "Oracle WebLogic Server Remote Command Execution". Description: The following request takes......


Rating: Critical | This issue took 22 Day and 0 hours to fix

SSRF in webhooks leads to AWS private keys disclosure

@ Submitted to omise by honoki
Bug Type: Server-Side Request Forgery (SSRF)

Vulnerability Summary Omise makes use of Amazon AWS as their application environment. Due to a vulnerability in the way webhooks are implemented, an attacker can make arbitrary HTTP/HTTPS requests......


Rating: High | This issue took 2 Day and 0 hours to fix

Vulnerable W3 Total Cache plugin version in use on nextcloud.com

@ Submitted to nextcloud by francescocar
Bug Type: Cross-Site Request Forgery (CSRF)

Hi there, I noticed you are currently using a vulnerable version of W3 Total Cache, as the changelog containing the plugin version is publicly reachable:......


Rating: Medium | This issue took 21 Day and 2 hours to fix

CVE-2019-5765: 1-click HackerOne account takeover on all Android devices

@ Submitted to chromium by bagipro
Bug Type: None supplied

████████████Hi, this is a story about a technically very simple bug which allowed to dump history from all Chromium embedders (Chromium-based browsers and WebView users). It......


Rating: No rating | This issue took 1 Day and 0 hours to fix

DLL Hijacking Vulnerability in synapse-2

@ Submitted to razer_us by lawway
Bug Type: Code Injection

The Synapse 2 installer was subject to a DLL planting attack in the Downloads folder. This was fixed in May of 2019. ...


Rating: Medium | This issue took 98 Day and 23 hours to fix

Retrieval and alteration of exposed media on Android Oreo

@ Submitted to nextcloud by doragon
Bug Type: Information Disclosure

Good afternoon. Any media downloaded from the cloud server within the Android app is subject to third party modification and server re-upload without explicit user consent. This happens at least on......


Rating: Medium | This issue took 2 Day and 21 hours to fix

Broken access control on apps

@ Submitted to rocket_chat by theappsec
Bug Type: Improper Access Control - Generic

Summary: The user without administrative privileges can upload and install any Application into the rocket.chat As ID of application is controlled in the app.json file (which is controlled by......


Rating: Critical | This issue took 0 Day and 0 hours to fix

Open API - AWS S3 GET Bucket (List Objects) Version 1

@ Submitted to ecobee by prinsfrank
Bug Type: File and Directory Information Exposure

Summary: AWS S3 GET Bucket (List Objects) Version 1 API accesible Steps To Reproduce: navigate to: https://www.ecobee.com/wp-content/uploads/ Observe that you get a listbucketresponse......


Rating: Medium | This issue took 6 Day and 6 hours to fix

IDOR in changing shared file name

@ Submitted to trint_ltd by dhakalananda
Bug Type: Insecure Direct Object Reference (IDOR)

Summary: Hi Trind LTD, I have found a IDOR vulnerability in https://app.trint.com . An user can change shared file names through this IDOR. Steps To Reproduce: 1. Create a file from account B......


Rating: Medium | This issue took 28 Day and 19 hours to fix

[serve-here.js] List any file in the folder by using path traversal.

@ Submitted to nodejs-ecosystem by toannc123
Bug Type: Path Traversal

I would like to report Path Traversal in serve-here.js. It allows to list any file in another folder of web root. # Module module name: serve-here.js version: 1.1.3 npm page:......


Rating: High | This issue took 44 Day and 22 hours to fix

Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand

@ Submitted to automattic by dermeister
Bug Type: Improper Authentication - Generic

Product / URL https://instagram-brand.com/register/reset/<the security token here>?email=<your email here> Description and Impact After a user clicks on the password reset link......


Rating: Low | This issue took 59 Day and 16 hours to fix

Stored XSS in infogram.com via language

@ Submitted to infogram by theappsec
Bug Type: Cross-site Scripting (XSS) - Stored

The stored XSS was found in the language profile parameter. POC: Change profile settings with following request: ```http PUT /api/users/me HTTP/1.1 Host: infogram.com User-Agent: Mozilla/5.0 (X11;......


Rating: High | This issue took 0 Day and 3 hours to fix

XSS Reflected on my_report

@ Submitted to semrush by r0hack
Bug Type: Cross-site Scripting (XSS) - Reflected

Еще раз привет. На этот раз, кроме HTML-инъекции проходит полноценный XSS в дашбоарде пользователя. Payload:......


Rating: Low | This issue took 115 Day and 5 hours to fix

Predictable Random Number Generator

@ Submitted to nextcloud by mru1
Bug Type: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Description: The mobile application uses a predictable Random Number Generator (RNG). Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based......


Rating: Medium | This issue took 2 Day and 20 hours to fix

Unclaimed facebook page at www.cuvva.com/about

@ Submitted to cuvva by badcracker
Bug Type: Violation of Secure Design Principles

Description: Hello sir, while I was surfing your website I found unclaimed facebook page at www.cuvva.com/about {F503171} when you click this button you will be redirected to......


Rating: None | This issue took 0 Day and 11 hours to fix

Sensitive information/action is stored/done is done using a GET request

@ Submitted to khanacademy by dermeister
Bug Type: Cross-Site Request Forgery (CSRF)

#Description: The action to remove an email from account is done using a GET request and it has security token. The URL is :......


Rating: No rating | This issue took 997 Day and 3 hours to fix

Private/confidential setting of calendar events is ignored on activity stream

@ Submitted to nextcloud by nickvergessen
Bug Type: Information Disclosure

https://github.com/nextcloud/server/pull/13331 Events that are private should not generate events for other users Events that are confidential should not leak the name to other users Impact The......


Rating: Low | This issue took 169 Day and 16 hours to fix

Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com

@ Submitted to automattic by dermeister
Bug Type: Improper Authentication - Generic

Product / URL https://en.instagram-brand.com/wp-json/brc/v1/login/ Description and Impact An attacker can perform account takeover by leveraging following two vulnerabilities: Auth Bypass =......


Rating: High | This issue took 77 Day and 19 hours to fix

DOM XSS via Shopify.API.Modal.initialize

@ Submitted to shopify by tems
Bug Type: Cross-site Scripting (XSS) - DOM

Similar #422043 & #576532 Payload ( Based on #576532): ```html <script> function attack(){ const ctx = window.open(location.origin+'/admin/themes', '_blank') const......


Rating: Low | This issue took 11 Day and 0 hours to fix

Apache mod_status /server-status Information Disclosure

@ Submitted to tomtom by vijay922
Bug Type: Information Exposure Through Debug Information

Description It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'. This overview includes information such as current......


Rating: Medium | This issue took 42 Day and 14 hours to fix

Information leakage and default open port

@ Submitted to slack by freem0
Bug Type: None supplied

<a href="/freem0">@freem0</a> found Prometheus plugin output that was exposed at one of our servers. The information exposed including some OS information metrics about memory......


Rating: Low | This issue took 500 Day and 11 hours to fix

Stored XSS/HTML injection in autocomplete suggestions for sharing

@ Submitted to nextcloud by sjw
Bug Type: Cross-site Scripting (XSS) - Stored

encrypted report, see attached GnuPG file. I tried to send this by mail, but [email protected] told me that I'm forced (sic!) to signup here. Please use 7F40 5A4F FAA3 F51B FEFD EE2F CE82 B2C8......


Rating: Medium | This issue took 164 Day and 13 hours to fix

Uploading large avatar images cause excessive CPU usage

@ Submitted to nextcloud by fancycode
Bug Type: Denial of Service

How to reproduce: - Create an account on any server running Nextcloud 13 or 14. - Open the personal settings. - Upload a large image as avatar (tested with a 4032x3024 PNG image of about 14.5 MB). -......


Rating: No rating | This issue took 114 Day and 21 hours to fix