Bug Bounty Cheat Sheet

📚 Reference	🔎 Vulnerabilities
Bug Bounty Platforms	XSS
Books	SQLi
Special Tools	SSRF
Recon	CRLF Injection
Practice Platforms	CSV Injection
Bug Bounty Tips	LFI
	XXE
	RCE
	Open Redirect
	Crypto
	Template Injection
	Content Injection
	XSLT Injection
	Buffer Overflow Attack

Contents

• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Clickjacking (UI Redressing Attack)
• Local File Inclusion (LFI)
• Subdomain Takeover
• Denial of Service (DOS)
• Authentication Bypass
• SQL injection
• 2FA Related issues
• CORS Related issues
• Server Side Request Forgery (SSRF)
• Race Condition
• Remote Code Execution (RCE)
• Contributing
• Maintainers

Cross Site Scripting (XSS)

• From P5 to P2 to 100 BXSS
• Google Acquisition XSS (Apigee)
• DOM-Based XSS at accounts.google.com by Google Voice Extension
• XSS on Microsoft.com via Angular Js template injection
• Researching Polymorphic Images for XSS on Google Scholar
• Netflix Party Simple XSS
• Stored XSS in google nest
• Self XSS to persistent XSS on login portal
• Universal XSS affecting Firefox
• XSS WAF Character limitation bypass like a boss
• Self XSS to Account Takeover
• Reflected XSS on Microsoft subdomains
• The tricky XSS
• Reflected XSS in AT&T
• XSS on Google using Acunetix
• Exploiting websocket application wide XSS
• Reflected XSS with HTTP Smuggling
• XSS on Facebook instagram CDN server bypassing signature protection
• XSS on Facebook’s Acquisition Oculus
• XSS on sony Subdomain
• Exploiting Self XSS
• Effortlessly Finding Cross Site Scripting inclusion XSSI
• Bugbounty a DOM XSS
• Blind XSS : a mind Game
• FireFox IOS QR code reader XSS(CVE-2019-17003)
• HTML injection to XSS
• XSS at error page of repository code
• XSS like a Pro
• How I turned self XSS to stored XSS via CSRF
• XSS Stored on Outlook web
• XSS Bug 20 Chars Blind XSS Payload
• XSS in AMP4EMAIL(DOM clobbering)
• DOM Based XSS bug bounty writeup
• XSS will never die
• 5000 USD XSS issue at avast desktop antivirus
• XSS to account takeover
• How Paypal helped me to generate XSS
• Bypass Uppercase filters like a PRO(XSS advanced methods)
• Stealing login credentials with reflected XSS
• bughunting xss on cookie popup warning
• XSS is love
• Oneplus XSS vulnerability in customer support portal
• Exploiting cookie based XSS by finding RCE
• Stored XSS on zendesk via macros
• XSS in ZOHO main
• DOM based XSS in private program
• Bugbounty writeup : Take Attention and get stored XSSS
• How I xssed admin account
• Clickjacking XSS on google
• Stored XSS on laporbugid
• Leveraging angularjs based XSS to privilege escalation
• How I found XSS by searching in shodan
• Chaining caache poisining to stored XSS
• XSS to RCE
• XSS on twitter worth 1120
• Reflected XSS in ebay.com
• Cookie based XSS exolpoitation 2300 bug bounty
• What do netcat -SMTP-self XSS have in common
• XSS on google custom search engine
• Story of a Full Account Takeover vulnerability N/A to Accepted
• Yeah I got p2 in 1 minute stored XSS via markdown editor
• Stored XSS on indeed
• Self XSS to evil XSS
• How a classical XSS can lead to persistent ATO vulnerability
• Reflected XSS in tokopedia train ticket
• Bypassing XSS filter and stealing user credit card data
• Googleplex.com blind XSS
• Reflected XSS on error page
• How I was able to get private ticket response panel and fortigate web panel via blind XSS
• Unicode vs WAF
• Story of URI based XSS with some simple google dorking
• Stored XSS on edmodo
• XSSed my way to 1000
• Try harder for XSS
• From parameter pollution to XSS
• MIME sniffing XSS
• Stored XSS on techprofile Microsoft
• Tale of a wormable Twitter XSS
• XSS attacks google bot index manipulation
• From Reflected XSS to Account takeover
• Stealing local storage data through XSS
• CSRF attack can lead to stored XSS
• XSS Reflected (filter bypass)
• XSS protection bypass on hackerone private program
• Just 5 minutes to get my 2nd Stored XSS on edmodo.com
• Multiple XSS in skype.com
• Obtaining XSS using moodle featured and minor bugs
• XSS on 403 forbidden bypass akamai WAF
• How I was turn self XSS into reflected XSS
• A Tale of 3 XSS
• Stored XSS on Google.com
• Stored XSS in the Guides gameplaersion (www.dota2.com)
• Admin google.com reflected XSS
• Paypal Stored security bypass
• Paypal DOM XSS main domain
• Bugbounty : The 5k$ Google XSS
• Facebook stored XSS
• Ebay mobile reflected XSS
• Magix bugbounty XSS writeup
• Abusing CORS for an XSS on flickr
• XSS on google groups
• Oracle XSS
• Content types and XSS Facebook Studio
• Admob Creative image XSS
• Amazon Packaging feedback XSS
• PaypalTech XSS
• Persistent XSS on my world
• Google VRP XSS in device management
• Google VRP XSS
• Google VRP Blind XSS
• WAZE XSS
• Referer Based XSS
• How we invented the Tesla DOM XSS
• Stored XSS on rockstar game
• How I was able to bypass strong XSS protection in well known website imgur.com
• Self XSS to Good XSS
• That escalated quickly : from partial CSRF to reflected XSS to complete CSRF to Stored XSS
• XSS using dynamically generated js file
• Bypassing XSS filtering at anchor Tags
• XSS by tossing cookies
• Coinbase angularjs dom XSS via kiteworks
• Medium Content spoofing and XSS
• Managed Apps and music a tale of two XSSes in Google play
• Making an XSS triggered by CSP bypass on twitter
• Escalating XSS in phantomjs image rendering to SSRF
• Reflected XSS in Simplerisk
• Stored XSS in the heart of the russian email provider
• How I built an XSS worm on atmail
• XSS on bugcrowd and so many other websites main domain
• Godaddy XSS affects parked domains redirector Processor
• Stored XSS in Google image search
• A pair of plotly bugs stored XSS abd AWS metadata
• Near universal XSS in mcafee web gateway
• Penetrating Pornhub XSS vulns
• How I found a 5000 Google maps XSS by fiddling with protobuf
• Airbnb when bypassing json encoding XSS filter WAF CSP and auditior turns into eight vulnerabilities
• Lightwight markup a trio of persistent XSS in gitlab
• XSS ONE BAY
• SVG XSS in unifi
• Stored XSS in unifi V4.8.12 controller
• Turning self XSS into good XSS v2
• SWF XSS DOM Based XSS
• XSS filter bypass in Yahoo Dev flurry
• XSS on Flickr
• Two vulnerabilities makes an exploit XSS and csrf in bing
• Runkeeper stored XSS
• Google sleeping XSS awakens 5k bounty
• Poisoning the well compromising godaddy customer support with blind XSS
• UBER turning self XSS to good XSS
• XSS on facebook via png content types
• Cloudflare XSS
• How I found XSS Vulnerability in Google
• XSS to RCE
• One payload to XSS them all
• Self XSS on komunitas
• Reclected XSS on alibabacloud
• Self XSS on komunitas bukalapak
• A real XSS in OLX
• Self XSS using IE adobes
• Stealing local storage through XSS
• 1000 USD in 5mins Stored XSS in Outlook
• OLX reflected XSS
• My first stored XSS on edmodo.com
• Hack your form new vector for BXSS
• How I found Blind XSS vulnerability in redacted.com
• 3 XSS in protonmail for iOS
• XSS in edmodo wihinin 5 mins
• Stil work redirect Yahoo subdomain XSS
• XSS in azure devOps
• Shopify reflected XSS
• Muliple Stored XSS on tokopedia
• Stored XSS on edmodo
• A unique XSS scenario 1000 Bounty
• Protonmail XSS Stored
• Chaining tricky ouath exploitation to stored XSS
• Antihack XSS to php uplaod
• Reflected XSS in zomato
• XSS through SWF file
• Hackyourform BXSS
• Reflected XSS on ASUS
• Stored XSS via Alternate text at zendesk support
• How I stumbled upon a stored XSS : my first bug bounty story
• Cookie based Self XSS to Good XSS
• Reflected XSS on amazon
• XSS worm : a creative use of web application vulnerability
• Google code in XSS
• Self XSS on indeed.com
• How I accidentally found XSS in Protonmail for iOS app
• XML XSS in yandex.ru by accident
• Critical Stored XSS vulnerability
• XSS bypass using META tag in realestate.postnl.nl
• Edmodo XSS bug
• XSS in hiden input fields
• How I discovered XSS that affected over 20 uber subdomains
• DOM based XSS or why you should not rely on cloudflare too much
• XSS in dynamics 365
• XSS deface with html and how to convert the html into charcode
• Cookie based injection XSS making explitable with exploiting other vulns
• XSS with put in ghost blog
• XSS using a Bug in safari and why blacklists are stupid
• Magic XSS with two parameters
• DOM XSS bug affecting tinder shopify Yelp
• Persistent XSS unvalidated open graph embed at linkedin.com
• My first 0day exploit CSP Bypass Reflected XSS
• Google Stored XSS in payments
• XSS on dropbox
• Weaponizing XSS attacking internal domains
• How I XSSed UBER and bypassed CSP
• RXSS and CSRF bypass to Account takeover
• Another XSS in google collaboratory
• How I bypassed AKAMAI waf in overstock.com
• Reflected XSS at philips.com
• XSS vulnerabilities in multiple iframe busters affecting top tier sites
• Reflected DOM XSS and clickjacking silvergoldbull
• Stored XSS vulnerability in h1 private
• Authbypass SQLi and XSS
• Stored XSS vulnerability in tumblr
• XSS in google code jam
• Mapbox XSS
• My first valid XSS
• Stored XSS in webcomponents.org
• 3 minutes XSS
• icloud.com DOM based XSS
• XSS at hubspot and in email areas
• Self XSS leads to blind XSS and Reflected XSS
• Refltected XSS primagames.com
• Stored XSS in gameskinny
• Blind XSS in Chrome experments Google
• Yahoo two XSSI vulnerabilities chained to steal user information (750$)
• How I found XSS on amazon
• A blind XSS in messengers twins
• XSS in microsoft Subdomain
• Persistent XSS at ah.nl
• The 12000 intersection betwenn clickjaking , XSS and DOS
• XSS in google collaboratory CSP bypass
• How I found blind XSS in apple
• Reflected XSS on amazon.com
• How I found XSS in 360totalsecurity
• The 2.5 BTC Stored XSS
• XSS Vulnerability in Netflix
• A story of a UXSS via DOM XSS clickjacking in steam inventory helper
• How I found XSS via SSRF vulnerability
• Searching for XSS found ldap injection
• how I converted SSRF to XSS in a SSRF vulnerable JIRA
• Reflected XSS in Yahoo subdomain
• Account takeover and blind XSS
• How I found 5 stored XSS on a private program
• Persistent XSS to steal passwords(Paypal)
• Self XSS + CSRF to stored XSS
• Stored XSS in yahoo and subdomains
• XSS in microsoft
• Blind XSS at customer support panel
• Reflected XSS on stackoverflow
• Stored XSS in Yahoo
• XSS 403 forbidden Bypass
• Turning self XSS into non self XSS via authorization issue at paypal
• A story of stored XSS bypass
• Mangobaaz hacked XSS to credentials
• How I got stored XSS using file upload
• Bypassing CSP to abusing XSS filter in edge
• XSS to session Hijacking
• Reflected XSS on www.zomato.com
• XSS in subdomain of yahoo
• XSS in yahoo.net subdomain
• Reflected XSS moongaloop swf version 62x
• Google adwords 3133.7 Stored XSS
• How I found a surprising XSS vulnerability on oracle netsuite
• Stored XSS on snapchat
• How I was able to bypass XSS protection on h1 private program
• Reflected XSS possible
• XSS via angularjs template injection hostinger
• Microsoft follow feature XSS (CVE-2017-8514)
• XSS protection bypass made my quickest bounty ever
• Taking note XSS to RCE in the simplenote electron client
• VMWARE official vcdx reflected XSS
• How I pwned a company using IDOR and Blind XSS
• From Recon to DOM based XSS
• Local file read via XSS
• Non persistent XSS at microsoft
• A Stored XSS in google (double kill)
• Filter bypass to Reflected XSS on finance.yahoo.com (mobile version)
• 900$ XSS in yahoo : recon wins
• How I bypassed practos firewall and triggered an XSS vulnerability
• Stored XSS to full information disclosure
• Story of parameter specific XSS
• Chaining self XSS with UI redressing leading to session hijacking
• Stored XSS with arbitrary cookie installation
• Reflective XSS and Open redirect on indeed.com subdomain
• How I found reflected XSS on Yahoo subdomain
• Dont just alert(1) because XSS is more fun
• UBER XSS by helpe of KNOXSS
• Reflected XSS in Yahoo
• Reflected XSS on ww.yahoo.com
• XSS because of wrong content type header

Cross Site Request Forgery (CSRF)

• How a simple CSRF attack turned into a P1
• How I exploited the json csrf with method override technique
• How I found CSRF(my first bounty)
• Exploiting websocket application wide XSS and CSRF
• Site wide CSRF on popular program
• Using CSRF I got weird account takeover
• CSRF CSRF CSRF
• Google Bugbounty CSRF in learndigital.withgoogle.com
• CSRF token bypass [a tale of 2k bug]
• 2FA bypass via CSRF attack
• Stored iframe injection CSRF account takeover
• Instagram delete media CSRF
• An inconsistent CSRF
• Bypass CSRF with clickjacking worth 1250
• Sitewide CSRF graphql
• Account takeover using CSRF json based
• CORS to CSRF attack
• My first CSRF to account takeover
• 4x chained CSRFs chained for account takeover
• CSRF can lead to stored XSS
• Yet other examples of abusing CSRF in logout
• Wordpress CSRF to RCE
• Bruteforce user IDs via CSRF to delete all the users with CSRF attack
• CSRF Bypass using cross frame scripting
• Account takeover via CSRF
• A very useful technique to bypass the CSRF protection
• CSRF account takeover exlpained automated manual bugbounty
• CSRF to account takeover
• How I got 500USD from microsoft for CSRF vulnerability
• Critical Bypass CSRF protection
• RXSS CSRF bypass to full account takeover
• Youtube CSRF
• Self XSS + CSRF = Stored XSS
• Ribose IDOR with simple CSRF bypass unrestrcited changes and deletion to other photo profile
• JSON CSRF attack on a social networking site
• Hacking facebook oculus integration CSRF
• Amazon leaking CSRF token using service worker
• Facebook graphql CSRF
• Chain the vulnerabilities and take your report impact on the moon csrf to html injection
• Partial CSRF to Full CSRF
• Stealing access token of one drive integration by chain csrf vulnerability
• Metasploit web project kill all running taks CSRF CVE-2017-5244
• Messenger site wide CSRF
• Hacking Facebook CSRF device login flow
• Two vulnerabilities makes an exploit XSS and CSRF in bing
• How I bypassed Facebook in 2016
• Ubiquiti bugbounty unifi generic CSRF protection Bypass
• Bypass Facebook CSRF
• Facebook CSRF full account takeover

Clickjacking (UI redressing attack)

• Google Bug bounty Clickjacking on Google payment
• Google APIs Clickjacking worth 1337$
• Clickjacking + XSS on Google org
• Bypass CSRF with clickjacking on Google org
• 1800 worth Clickjacking
• Account takeover with clickjacking
• Clickjacking on google CSE
• How I accidentally found clickjacking in Facebook
• Clickjacking on google myaccount worth 7500
• Clickjacking in google docs and void typing feature
• Reflected DOM XSS and Clickjacking
• binary.com clickjacking vulnerability exploiting HTML5 security features
• 12000 intersection betwen clickjacking XSS and denial of service
• Steam fire and paste : a story of uxss via DOM XSS and Clickjacking in steam inventory helper
• Yet another Google Clickjacking
• Redressing instagram leaking application tokens via instagram clickjacking vulnerability
• Self XSS to Good XSS and Clickjacking
• Microsoft Yammer clickjacking exploiting HTML5 security features
• Firefox find my device clickjacking
• Whatsapp Clickjacking vulnerability
• Telegram WEB client clickjacking vulnerability
• Facebook Clickjacking : how we put a new dress on facebook UI

Local File Inclusion (LFI)

• RFI LFI Writeup
• My first LFI
• Bug bounty LFI at Google.com
• Google LFI on production servers in redacted.google.com
• LFI to 10 server pwn
• LFI in apigee portals
• Chain the bugs to pwn an organisation LFI unrestricted file upload to RCE
• How we got LFI in apache drill recom like a boss
• Bugbounty journey from LFI to RCE
• LFI to RCE on deutche telekom bugbounty
• From LFI to RCE via PHP sessions
• magix bugbounty magix.com XSS RCE SQLI and LFI
• LFI in nokia maps

Subdomain Takeover

• How I bought my way to subdomain takeover on tokopedia
• Subdomain Takeover via pantheon
• Subdomain takeover : a unique way
• Escalating subdomain takeover to steal sensitive stuff
• Subdomain takeover awarded 200
• Subdomain takeover via wufoo service
• Subdomain takeover via Hubspot
• Souq.com subdomain takeover
• Subdomain takeover : new level
• Subdomain takeover due to misconfigured project settings for custom domain
• Subdomain takeover via shopify vendor
• Subdomain takeover via unsecured s3 bucket
• Subdomain takeover worth 200
• Subdomain takeover via campaignmonitor
• How to do 55000 subdomain takeover in a blink of an eye
• Subdomain takeover Starbucks (Part 2)
• Subdomain takeover Starbucks
• Uber wildcard subdomain takeover
• Bugcrowd domain subdomain takeover vulnerability
• Subdomain takeover vulnerability (Lamborghini Hacked)
• Authentication bypass on uber’s SSO via subdomain takeover
• Authentication bypass on SSO ubnt.com via Subdomain takeover of ping.ubnt.com

Denial of Service (DOS)

• Long String DOS
• AIRDOS
• Denial of Service DOS vulnerability in script loader (CVE-2018-6389)
• Github actions DOS
• Application level denial of service
• Banner grabbing to DOS and memory corruption
• DOS across Facebook endpoints
• DOS on WAF protected sites
• DOS on Facebook android app using zero width no break characters
• Whatsapp DOS vulnerability on android and iOS
• Whatsapp DOS vulnerability in iOS android

Authentication Bypass

• Touch ID authentication Bypass on evernote and dropbox iOS apps
• Oauth authentication bypass on airbnb acquistion using wierd 1 char open redirect
• Two factor authentication bypass
• Instagram multi factor authentication bypass
• Authentication bypass in nodejs application
• Symantec authentication Bypass
• Authentication bypass in CISCO meraki
• Slack SAML authentocation bypass
• Authentication bypass on UBER’s SSO
• Authentication Bypass on airbnb via oauth tokens theft
• Inspect element leads to stripe account lockout authentication Bypass
• Authentication bypass on SSO ubnt.com

SQL Injection(SQLI)

• Tricky oracle SQLI situation
• Exploiting “Google BigQuery” SQLI
• SQLI via stopping the redirection to a login page
• Finding SQLI with white box analysis a recent bug example
• Bypassing a crappy WAF to exploit a blind SQLI
• SQL Injection in private-site.com/login.php
• Exploiting tricky blind SQLI
• SQLI in forget password fucntion
• SQLI Bug Bounty
• File Upload blind SQLI
• SQL Injection
• SQLI through User Agent
• SQLI in insert update query without comma
• SQLI for 50 bounty
• Abusing MYSQL CLients
• SQLI Authentication Bypass AutoTrader Webmail
• ZOL Zimbabwe Authentication Bypass to XSS & SQLi
• SQLI bootcamp.nutanix.com
• SQLI in University of Cambridge
• Making a blind SQLI a little less Blind SQLI
• SQLI amd silly WAF
• Attacking Postgresql Database
• Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection
• A 5 minute SQLI
• Union based SQLI writeup
• SQLI with load file and into outfile
• SQLI is Everywhere
• SQLI in Update Query Bug
• Blind SQLI Hootsuite
• Yahoo – Root Access SQLI – tw.yahoo.com
• Step by Step Exploiting SQLI in Oculus
• Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)
• Tesla Motors blind SQLI
• SQLI in Nokia Sites

2FA related issues

• 2FA Bypass via logical rate limiting Bypass
• Bypass 2FA in a website
• Weird and simple 2FA bypass
• How I cracked 2FA with simple factor bruteforce
• Instagram account is reactivated without entering 2FA
• How to bypass 2FA with a HTTP header
• How I hacked 40k user accounts of microsoft using 2FA bypass outlook
• How I abused 2FA to maintain persistence after password recovery change google microsoft instragram
• Bypass hackerone 2FA
• Facebook Bug bounty : How I was able to enumerate instagram accounts who had enabled 2FA

CORS related issues

• CORS bug on google’s 404 page (rewarded)
• CORS misconfiguration leading to private information disclosure
• CORS misconfiguration account takeover out of scope to grab items in scope
• Chrome CORS
• Bypassing CORS
• CORS to CSRF attack
• An unexploited CORS misconfiguration reflecting further issues
• Think outside the scope advanced cors exploitation techniques
• A simple CORS misconfiguration leaked private post of twitter facebook instagram
• Explpoiting CORS misconfiguration
• Full account takeover through CORS with connection sockets
• Exploiting insecure CORS API api.artsy.net
• Pre domain wildcard CORS exploitation
• Exploiting misconfigured CORS on popular BTC site
• Abusing CORS for an XSS on flickr

Server Side Request Forgery (SSRF)

• Exploiting an SSRF trials and tribulations
• SSRF on PDF generator
• Google VRP SSRF in Google cloud platform stackdriver
• Vimeo upload function SSRF
• SSRF via ffmeg processing
• My first SSRF using DNS rebinding
• Bugbounty simple SSRF
• SSRF reading local files from downnotifier server
• SSRF vulnerability
• Gain adfly SMTP access with SSRF via gopher protocol
• Blind SSRF in stripe.com due to senntry misconfiguration
• SSRF port issue hidden approch
• The jorney of web cache firewall bypass to SSRF to AWS credentials compromise
• SSRF to local file read and abusing aws metadata
• pdfreactor SSRF to root level local files read which lead to RCE
• SSRF trick : SSRF XSPA in micosoft’s bing webwaster
• Downnotifeer SSRF
• Escalating SSRF to RCE
• Vimeo SSRF with code execution potential
• SSRF in slack
• Exploiting SSRF like a boss
• AWS takeover SSRF javascript
• Into the borg of SSRF inside google production network
• SSRF to local file disclosure
• How I found an SSRF in yahoo guesthouse (recon wins)
• Reading internal files using SSRF vulnerability
• Airbnb chaining third party open redirect into SSRF via liveperson chat

Race Condition

• Exploiting a Race condition vulnerabililty
• Race condition that could result to RCE a story with an app
• Creating thinking is our everything : Race condition and business logic
• Chaining improper authorization to Race condition to harvest credit card details
• A Race condition bug in Facebook chat groups
• Race condition bypassing team limit
• Race condition on web
• Race condition bugs on Facebook

Remote Code Execution (RCE)

• Microsoft RCE bugbounty
• OTP bruteforce account takeover
• Attacking helpdesk RCE chain on deskpro with bitdefender
• Remote image upload leads to RCE inject malicious code
• Finding a p1 in one minute with shodan.io RCE
• From recon to optimizing RCE results simple story with one of the biggest ICT company
• Uploading backdoor for fun and profit RCE DB creds P1
• Responsible Disclosure breaking out of a sandboxed editor to perform RCE
• Wordpress design flaw leads to woocommerce RCE
• Path traversal while uploading results in RCE
• RCE jenkins instance
• Traversing the path to RCE
• How I chained 4 bugs features into RCE on amazon
• RCE due to showexceptions
• Yahoo luminate RCE
• Latex to RCE private bug bounty program
• How I got hall of fame in two fortune 500 companies an RCE story
• RCE by uploading a web config
• 36k Google app engine RCE
• How I found 2.9 RCE at yahoo
• Bypass firewall to get RCE
• RCE vulnerabilite in yahoo subdomain
• RCE in duolingos tinycards app from android
• Unrestricted file upload to RCE
• Getting a RCE (CTF WAY)
• RCE starwars
• How I got 5500 from yahoo for RCE
• RCE in Addthis
• Paypal RCE
• My First RCE (Stressed Employee gets me 2x bounty)
• Abusing ImageMagick to obtain RCE
• How Snapdeal Kept their Users Data at Risk!
• RCE via ImageTragick
• How I Cracked 2FA with Simple Factor Brute-force!
• Found RCE but got Duplicated
• “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce eStores
• IDOR to RCE
• RCE on AEM instance without JAVA knowledge
• RCE with Flask Jinja tempelate Injection
• Race Condition that could result to RCE
• Chaining Two 0-Days to Compromise An Uber Wordpress
• Oculus Identity Verification bypass through Brute Force
• Used RCE as Root on marathon Instance
• Two easy RCE in Atlassian Products
• RCE in Ruby using mustache templates
• About a Sucuri RCE…and How Not to Handle Bug Bounty Reports
• Source code disclosure vulnerability
• Bypassing custom Token Authentication in a Mobile App
• Facebook’s Burglary Shopping List
• From SSRF To RCE in PDFReacter
• Apache strust RCE
• Dell KACE K1000 Remote Code Execution
• Handlebars Tempelate Injection and RCE
• Leaked Salesforce API access token at IKEA.com
• Zero Day RCE on Mozilla’s AWS Network
• Escalating SSRF to RCE
• Fixed : Brute-force Instagram account’s passwords
• Bug Bounty 101 — Always Check The Source Code
• ASUS RCE vulnerability on rma.asus-europe.eu
• Magento – RCE & Local File Read with low privilege admin rights
• RCE in Nokia.com
• Two RCE in SharePoint
• Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over
• RCE in Hubspot with EL injection in HubL
• Github Desktop RCE
• eBay Source Code leak
• Facebook source code disclosure in ads API
• XS-Searching Google’s bug tracker to find out vulnerable source code

Buffer Overflow Writeups

-Buffer Overflow Attack Book pdf -Github Reposirtory on Buffer Overflow Attack -Stack-Based Buffer Overflow Attacks: Explained and Examples -How Buffer Overflow Attacks Work -Binary Exploitation: Buffer Overflows -WHAT IS A BUFFER OVERFLOW? LEARN ABOUT BUFFER OVERRUN VULNERABILITIES, EXPLOITS & ATTACKS

Contributing

We welcome contributions from the public.

Using the issue tracker 💡

The issue tracker is the preferred channel for bug reports and features requests.

Issues and labels 🏷

Our bug tracker utilizes several labels to help organize and identify issues.

Guidelines for bug reports 🐛

Use the GitHub issue search — check if the issue has already been reported.

Style Guide

We like to keep our Markdown files as uniform as possible. So if you submit a PR, make sure to follow this style guide (we will not be angry if you do not).

• Cheat sheet titles should start with ##.
• Subheadings should be made bold. (**Subheading**)
• Add newlines after subheadings and code blocks.
• Code blocks should use three backticks. (```)
• Make sure to use syntax highlighting whenever possible.

Bitcoin : 35ptN6ZEsuQpJWpCLuw2RQL176MB6yBfaS