Skip to content

Latest commit

 

History

History
91 lines (90 loc) · 11 KB

TOPQIWI.md

File metadata and controls

91 lines (90 loc) · 11 KB
Raw

Top reports from QIWI program at HackerOne:

  1. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 475 upvotes, $0
  2. Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int to QIWI - 221 upvotes, $0
  3. Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" to QIWI - 194 upvotes, $0
  4. MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass to QIWI - 148 upvotes, $0
  5. SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution to QIWI - 118 upvotes, $0
  6. account takeover https://qiwi.me to QIWI - 106 upvotes, $0
  7. account takeover https://idea.qiwi.com/ to QIWI - 87 upvotes, $0
  8. Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID to QIWI - 84 upvotes, $0
  9. SSRF на https://qiwi.com с помощью "Prerender HAR Capturer" to QIWI - 77 upvotes, $0
  10. DOM XSS triggered in secure support desk to QIWI - 66 upvotes, $0
  11. account takeover through password reset in url https://reklama.tochka.com/ to QIWI - 57 upvotes, $0
  12. Обход комиссии на переводы to QIWI - 56 upvotes, $0
  13. XXE on ██████████ by bypassing WAF ████ to QIWI - 53 upvotes, $0
  14. Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID to QIWI - 52 upvotes, $0
  15. [contact-sys.com] SQL Injection████ limit param to QIWI - 50 upvotes, $0
  16. apache access.log leakage via long request on https://rapida.ru/ to QIWI - 42 upvotes, $0
  17. XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 41 upvotes, $0
  18. account takeover https://teamplay.qiwi.com to QIWI - 40 upvotes, $0
  19. PIN OK attack to QIWI - 39 upvotes, $0
  20. account impersonate through broken link to QIWI - 39 upvotes, $0
  21. [qiwi.me] Stored XSS to QIWI - 37 upvotes, $0
  22. [p2p.qiwi.com] nginx alias traversal to QIWI - 34 upvotes, $0
  23. [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN to QIWI - 32 upvotes, $0
  24. Обход комиссии при оплате картой to QIWI - 32 upvotes, $0
  25. gifts.flocktory.com/phpmyadmin is vulnerable csrf to QIWI - 32 upvotes, $0
  26. XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации to QIWI - 31 upvotes, $0
  27. mysql.initial.sql file is accessable for everyone to QIWI - 30 upvotes, $0
  28. Account takeover just through csrf in https://booking.qiwi.kz/profile to QIWI - 30 upvotes, $0
  29. HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites to QIWI - 29 upvotes, $0
  30. [qiwi.com] XSS on payment form to QIWI - 28 upvotes, $0
  31. [QIWI Wallet] Access to protected app components to QIWI - 26 upvotes, $0
  32. CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco to QIWI - 26 upvotes, $0
  33. Account Takeover through registration to the same email address to QIWI - 26 upvotes, $0
  34. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 21 upvotes, $0
  35. [lk.contact-sys.com] LKlang Path Traversal to QIWI - 21 upvotes, $0
  36. [contact-sys.com] XSS /ajax/transfer/status trn param to QIWI - 21 upvotes, $0
  37. Обход комиссии на переводы to QIWI - 21 upvotes, $0
  38. [id.rapida.ru] Full Path Disclosure to QIWI - 19 upvotes, $0
  39. IDOR редактирование любого вишлиста to QIWI - 19 upvotes, $0
  40. [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ to QIWI - 18 upvotes, $0
  41. Небезопасная схема выдачи номера карты QVC (возможно, также QVV и QVP) to QIWI - 18 upvotes, $0
  42. crlf injection на https://bug.qiwi.com to QIWI - 18 upvotes, $0
  43. [qiwi.com] Oauth захват аккаунта to QIWI - 17 upvotes, $0
  44. Information disclosure on https://paycard.rapida.ru to QIWI - 17 upvotes, $0
  45. [wallet.rapida.ru] XSS Cookie flashcookie to QIWI - 17 upvotes, $0
  46. Возможность регистрации на сайте qiwi.com на любой номер телефона to QIWI - 17 upvotes, $0
  47. [sms.qiwi.ru] XSS via Request-URI to QIWI - 16 upvotes, $0
  48. broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up) to QIWI - 16 upvotes, $0
  49. https://fundl.qiwi.com CSRF на подтверждении sms to QIWI - 15 upvotes, $0
  50. [ibank.qiwi.ru] XSS via Request-URI to QIWI - 15 upvotes, $0
  51. [contact-sys.com] XSS via Request-URI to QIWI - 14 upvotes, $0
  52. Каким-то образом получил чужой платеж к себе на копилку https://qiwi.me/undefined to QIWI - 14 upvotes, $0
  53. Слив какого-то access токена to QIWI - 14 upvotes, $0
  54. Imformation Disclosure on id.rapida.ru to QIWI - 13 upvotes, $0
  55. [qiwi.com] Information Disclosure to QIWI - 12 upvotes, $0
  56. [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS to QIWI - 12 upvotes, $0
  57. [vitrina.contact-sys.com] Full Path Disclosure to QIWI - 12 upvotes, $0
  58. Nickname disclosure through web-chat to QIWI - 12 upvotes, $0
  59. [qiwi.me] No limits on image download requests to QIWI - 12 upvotes, $0
  60. Subdomain Takeover on 1c-start.tochka.com pointing to unbouncepages to QIWI - 12 upvotes, $0
  61. [qiwi.com] .bash_history to QIWI - 11 upvotes, $0
  62. hard-use account takeover qiwi.com to QIWI - 11 upvotes, $0
  63. Раскрытие чувствительной информации composer.lock docker-compose.yml to QIWI - 9 upvotes, $0
  64. [rubm.qiwi.com] Yui charts.swf XSS to QIWI - 8 upvotes, $0
  65. [XSS/3dsecure.qiwi.com] 3DSecure XSS to QIWI - 8 upvotes, $0
  66. Раскрытие баланса на //kopilka.qiwi.com to QIWI - 8 upvotes, $0
  67. Open Redirect in meeting.qiwi.com to QIWI - 8 upvotes, $0
  68. Xss on billing to QIWI - 8 upvotes, $0
  69. какой-то исходный код в корне сайта to QIWI - 8 upvotes, $0
  70. Stored xss in agent.qiwi.com to QIWI - 7 upvotes, $0
  71. disclosing clients' secret keys https://stage-uapi.tochka.com:2000/ to QIWI - 7 upvotes, $0
  72. [ibank.qiwi.ru] UI Redressing via Request-URI to QIWI - 6 upvotes, $0
  73. Session Cookie without HttpOnly and secure flag set to QIWI - 5 upvotes, $0
  74. Открытый доступ к корпоративным данным. to QIWI - 5 upvotes, $0
  75. [qiwi.com] Open Redirect to QIWI - 5 upvotes, $0
  76. Content Spoofing in mango.qiwi.com to QIWI - 5 upvotes, $0
  77. [z.tochka.com] Unlimited file uploads lead to malware executed to QIWI - 5 upvotes, $0
  78. Keychain data persistence may lead to account takeover to QIWI - 4 upvotes, $0
  79. Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails to QIWI - 3 upvotes, $0
  80. [ishop.qiwi.com] XSS + Misconfiguration to QIWI - 3 upvotes, $0
  81. [wallet.rapida.ru] Mass SMS flood to QIWI - 3 upvotes, $0
  82. https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании to QIWI - 3 upvotes, $0
  83. [qiwi.com] /oauth/confirm.action XSS to QIWI - 2 upvotes, $0
  84. Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number to QIWI - 2 upvotes, $0
  85. [static.qiwi.com] XSS proxy.html to QIWI - 2 upvotes, $0
  86. SSL Certificate on qiwi.com will expire soon. to QIWI - 2 upvotes, $0
  87. CRLF Injection [ishop.qiwi.com] to QIWI - 2 upvotes, $0
  88. [send.qiwi.ru] XSS at auth?login= to QIWI - 1 upvotes, $0
  89. XSS Reflected in test.qiwi.ru to QIWI - 1 upvotes, $0