XSS
-
[Bugbounty Study] #iCloud _ Stored XSSStudy/Bugbounty Study 2021. 2. 23. 00:26
# icloud.com Stored XSS _ \$5000 vbharad.medium.com/stored-xss-in-icloud-com-5000-998b8c4b2075 Stored XSS in icloud.com — $5000 Hello Guys hope you all are doing well, fine and healthy during this hard time. vbharad.medium.com 원작자는 icloud.com을 타겟으로 정한 후, CSRF, IDOR, Logic Bugs 등의 취약점을 찾기 위해 노력하다 XSS를 찾기로 결정하였다. 값을 삽입할 수 있는 다양한 곳에 페이로드를 삽입하면서 입력한 페이로드가 응답에 반영되는 페이지를 찾기 위해 많은 시도를 하였고, 결국 페이로드가 반영되..
-
[Bugbounty Study] #Twitter _ Open Redirect to XSSStudy/Bugbounty Study 2020. 12. 3. 23:21
# dev.twitter.com Open Redirect to XSS_ $1,120 hackerone.com/reports/330008 Twitter disclosed on HackerOne: [dev.twitter.com] XSS and Open... Description: Hi after I finish reading the report https://hackerone.com/reports/260744.i start to test this subdomain.i fount an interesting url [https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/basics/adding-international-support-to-your-apps].t..
-
[Bugbounty Study] #Google _ XSSStudy/Bugbounty Study 2020. 3. 30. 23:55
# Google Translator XSS _ \$3133.70 https://medium.com/monetary/how-did-i-earn-3133-70-from-google-translator-9becf942dbdc How did I earn $3133.70 from Google Translator? A bug may seem simple but not at all simple when you need to be … Vietnamese. medium.com 베트남어를 영어로 번영하는 과정에서 우연히 태그가 들어갔고, 아래와 같이 태그가 적용되어 출력되는 것을 확인할 수 있었다. 개발자 도구(F12)를 이용하여 HTML 태그가 실행되고 있는 것을 확인하였다. Google은 encode HTML 태그를 ..
-
[Bugbounty Study] #Shopify _ Open Redirect to XSSStudy/Bugbounty Study 2020. 3. 30. 18:15
#Shopify XSS _ \$1750 https://medium.com/@ashketchum/how-i-earned-1750-at-shopify-bug-bounty-program-ca7821990d08 How I Earned $1750 at Shopify Bug Bounty Program Introduction medium.com Shopify의 your-store.myshopify.com를 살펴보다 설정의 로그인 서비스를 발견하였다. 위와 같이 Enable Google Apps for login에 체크하여, Staff이 구글을 통해 로그인을 시도하면 어떤 방식으로 권한을 주는지 살펴보았다. Log in with Google을 하면 볼 수 있는 "google_apps_uri" 파라미터에서 Open Re..
-
[Bugbounty Study] #Starbucks _ XSS & LFIStudy/Bugbounty Study 2020. 3. 22. 06:53
# Reflected Cross site Scripting (XSS) _ $375 https://hackerone.com/reports/438240 Starbucks disclosed on HackerOne: Reflected Cross site Scripting... **Summary:** Reflected Cross site Scripting (XSS) on https://www.starbucks.com/account/signin?ReturnUrl **Description:** The attacker can execute javascript on the victims account just after the authentication process. **Platform(s) Affected:** ww..