I have found a Stored Cross Site Scripting vulnerability in Google Docs (https://docs.google.com). The XSS was pretty simple and at first I was not expecting a reward. The vulnerability lies within the main Google Docs interface (creating a document.). To reproduce, create an HTML file embed with the payload. Then save it as HTML and open it. Drag and drop the produced XSS vector in to Google Docs and XSS will pop. The vulnerability was fixed by Google within a week (pretty fast). I also received a bounty and listed in their Hall of Fame. I got the "Elite (31337/eleet)" reward.
November 4 ----- Reported November 5 ----- Report was Triaged November 6 ----- A bug was filed according to Michael J. (Google Security Team) November 12 ---- Rewarded by Google Security Team Reward:
I have found ANOTHER cross site scripting in Slack. This time, a Stored one, the most dangerous of all XSS... Anyway, The payload I used is very unique, the XSS has to be popped up thru an emoji. The Slack security team fixed this pretty fast since the XSS is a Stored one. This was my third bug from Slack.. and I immediately rose to Top 26 in their thanks page (https://hackerone.com/slack/thanks/). For more details regarding my report, just visit this link: https://hackerone.com/reports/96337
I have found another Cross site scripting vulnerability in Slack. This time it is a Reflected XSS. The XSS was located in the team integration search bar. The bug was fixed immediately by the Slack security team. This was my second bug from Slack. You can read more about my report, just visit this site: https://hackerone.com/reports/97683
I have found a Cross Site Scripting vulnerability in Slack. The XSS lies in the creation of new post. The XSS can be triggered by formatting text as code. Just type in the payload then change it to code format. The bug has been fixed by the Slack security team. The link of my report can be found here: https://hackerone.com/reports/89505
I found a Stored Cross Site Scripting vulnerability in Parse, a Facebook Acquisition. The Stored XSS was located in the App dashboard. I have reported it to Facebook and have rewarded me with a $1000 bounty and I was also listed in their "Whitehat List" for the year 2015. The issue was fixed by the Facebook security team. Here is the video for more details. WhiteHat list: https://www.facebook.com/whitehat/thanks
I found an "abandoned" subdomain of WePay that can be taken over, thus vulnerable to Subdomain takeover. I reported it to Wepay and fixed it after 2 hours (which is pretty fast). The vulnerable site was staging.wepay.com. If youre gonna visit that site, you will encounter an error saying "Unknown domain:staging.wepay.com" indicating that nobody owns that domain and anyone can take and register it to a hosting site. The CNAME/is pointing to Fastly.
I recently found an XSS in Pinterest developer website. It only took 2 days for Pinterest to fix it. At first glance, Pinterest told me that it is self-xss but I sent further info and realized it is a reflected xss and that it is eligible for a bounty.
Steps to reproduce:
1. Go to developers.pinterest.com 2. then go to widget builder 3. In the custom image enter the payload 4. XSS pop-up
I found a Cross site scripting in dashboard.heroku.com. Heroku has their bug bounty program hosted in Bugcrowd. This is my first bug in bugcrowd. The bug was fixed after 2 weeks and rewarded me with a $200 bounty.
Steps to reproduce: 1. Go to dashboard.heroku.com 2. Go to "Deploy tab" 3. Click "New Pipeline" 4. Enter XSS payload 5. Click "Create Pipeline" and XSS pop-up
I have found an XSS Vulnerability in Paypal. It is located on their main site (https://www.paypal.com/). Unfortunately my report was Duplicate, another researcher already found the bug. Anyway, here is the POC:
June 1 ------ Bug found
June 3 ------ Confirmed the vulnerability, gave me a case number.
De La Salle University is one of the Philippines' most prestigious universities and is included in the "Top 4 universities and colleges in the Philippines". However, their site has an SQL injection vulnerability. I have reported it to them the past 2 years (since I was 3rd year High School) but got no reply. There are many vulnerable parameters. Among them is this: http://www.dlsu.edu.ph/faculty/fis/alpha_list.asp?letter=B%27 Notice the string (%27) which will say whether it can be injected or not. POC:
While randomly searching for websites to "pwn", I came across the website of the Official Gazette of the Republic of the Philippines (http://gov.ph) I just typed a payload in the search bar then voila! XSS vulnerable. I contacted them via Twitter and the XSS was fixed after a day. (they are serious on web vulnerabilities now, unlike before).
The vulnerable part was in their search bar.... Just type the payload you want. In my case I used the most common payload which is "><img src=x onerror=alert(document.domain)>..
Vulnerability has been fixed, check it out yourself :)
So this bug is about an XSS vulnerability I found in Edmodo. The bug is now fixed. They have responded for 3 days (pretty fast) and also fixed the vulnerability on the last day.
Steps to reproduce:
1. To reproduce the issue. You must have, of course, an Edmodo account. 2. Go to the upper left panel and you will see 3 symbols, click the left one which is the "Backpack". 3. Now after that, go to "Folders".. on the left pane. 4. Click new folder. And enter the payload.. Now here is the trick: *Ordinary payloads like: "><img src=x onerror=alert(1)> will be filtered... to bypass... I used this instead: <img src=x onerror=alert(5)>
5. Now click "Create"...
6. XSS Pop-up.
As a reward, they will give me goodies :) like Edmodo mugs, T-shirt etc....
August 17 ---- Reported and Triaged
August 18 ---- Vulnerability confirmed. Asked for my mailing address for reward delivery