Skip to content

Latest commit

 

History

History
91 lines (90 loc) · 11.2 KB

TOPQIWI.md

File metadata and controls

91 lines (90 loc) · 11.2 KB

Top reports from QIWI program at HackerOne:

  1. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 467 upvotes, $5500
  2. Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int to QIWI - 217 upvotes, $1000
  3. Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" to QIWI - 193 upvotes, $1000
  4. MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass to QIWI - 147 upvotes, $3500
  5. SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution to QIWI - 117 upvotes, $1000
  6. account takeover https://qiwi.me to QIWI - 106 upvotes, $750
  7. account takeover https://idea.qiwi.com/ to QIWI - 88 upvotes, $300
  8. Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID to QIWI - 84 upvotes, $2500
  9. SSRF на https://qiwi.com с помощью "Prerender HAR Capturer" to QIWI - 76 upvotes, $1500
  10. DOM XSS triggered in secure support desk to QIWI - 65 upvotes, $500
  11. Обход комиссии на переводы to QIWI - 56 upvotes, $1050
  12. account takeover through password reset in url https://reklama.tochka.com/ to QIWI - 56 upvotes, $500
  13. XXE on ██████████ by bypassing WAF ████ to QIWI - 53 upvotes, $5000
  14. Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID to QIWI - 52 upvotes, $2500
  15. [contact-sys.com] SQL Injection████ limit param to QIWI - 50 upvotes, $250
  16. apache access.log leakage via long request on https://rapida.ru/ to QIWI - 42 upvotes, $100
  17. account takeover https://teamplay.qiwi.com to QIWI - 40 upvotes, $500
  18. XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 39 upvotes, $3137
  19. PIN OK attack to QIWI - 39 upvotes, $2000
  20. account impersonate through broken link to QIWI - 39 upvotes, $100
  21. [qiwi.me] Stored XSS to QIWI - 37 upvotes, $500
  22. [p2p.qiwi.com] nginx alias traversal to QIWI - 34 upvotes, $150
  23. Обход комиссии при оплате картой to QIWI - 32 upvotes, $1000
  24. [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN to QIWI - 32 upvotes, $300
  25. XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации to QIWI - 31 upvotes, $200
  26. mysql.initial.sql file is accessable for everyone to QIWI - 30 upvotes, $100
  27. gifts.flocktory.com/phpmyadmin is vulnerable csrf to QIWI - 30 upvotes, $100
  28. Account takeover just through csrf in https://booking.qiwi.kz/profile to QIWI - 30 upvotes, $100
  29. HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites to QIWI - 29 upvotes, $300
  30. [qiwi.com] XSS on payment form to QIWI - 28 upvotes, $550
  31. [QIWI Wallet] Access to protected app components to QIWI - 26 upvotes, $500
  32. Account Takeover through registration to the same email address to QIWI - 26 upvotes, $100
  33. CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco to QIWI - 25 upvotes, $500
  34. Обход комиссии на переводы to QIWI - 21 upvotes, $1000
  35. [lk.contact-sys.com] LKlang Path Traversal to QIWI - 21 upvotes, $150
  36. [contact-sys.com] XSS /ajax/transfer/status trn param to QIWI - 21 upvotes, $100
  37. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 20 upvotes, $200
  38. IDOR редактирование любого вишлиста to QIWI - 19 upvotes, $500
  39. [id.rapida.ru] Full Path Disclosure to QIWI - 19 upvotes, $50
  40. crlf injection на https://bug.qiwi.com to QIWI - 18 upvotes, $100
  41. [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ to QIWI - 17 upvotes, $1000
  42. [qiwi.com] Oauth захват аккаунта to QIWI - 17 upvotes, $950
  43. Возможность регистрации на сайте qiwi.com на любой номер телефона to QIWI - 17 upvotes, $200
  44. Небезопасная схема выдачи номера карты QVC (возможно, также QVV и QVP) to QIWI - 17 upvotes, $200
  45. Information disclosure on https://paycard.rapida.ru to QIWI - 17 upvotes, $100
  46. [wallet.rapida.ru] XSS Cookie flashcookie to QIWI - 17 upvotes, $100
  47. broken authentication (password reset link not expire after use in https://network.tochka.com/sign-up) to QIWI - 16 upvotes, $100
  48. [ibank.qiwi.ru] XSS via Request-URI to QIWI - 15 upvotes, $150
  49. https://fundl.qiwi.com CSRF на подтверждении sms to QIWI - 15 upvotes, $100
  50. [sms.qiwi.ru] XSS via Request-URI to QIWI - 15 upvotes, $100
  51. Слив какого-то access токена to QIWI - 14 upvotes, $200
  52. [contact-sys.com] XSS via Request-URI to QIWI - 14 upvotes, $100
  53. Каким-то образом получил чужой платеж к себе на копилку https://qiwi.me/undefined to QIWI - 14 upvotes, $50
  54. Imformation Disclosure on id.rapida.ru to QIWI - 13 upvotes, $100
  55. [qiwi.com] Information Disclosure to QIWI - 12 upvotes, $150
  56. [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS to QIWI - 12 upvotes, $150
  57. Nickname disclosure through web-chat to QIWI - 12 upvotes, $150
  58. [vitrina.contact-sys.com] Full Path Disclosure to QIWI - 12 upvotes, $100
  59. [qiwi.me] No limits on image download requests to QIWI - 12 upvotes, $100
  60. Subdomain Takeover on 1c-start.tochka.com pointing to unbouncepages to QIWI - 12 upvotes, $50
  61. hard-use account takeover qiwi.com to QIWI - 11 upvotes, $300
  62. [qiwi.com] .bash_history to QIWI - 11 upvotes, $100
  63. Раскрытие чувствительной информации composer.lock docker-compose.yml to QIWI - 9 upvotes, $100
  64. Раскрытие баланса на //kopilka.qiwi.com to QIWI - 8 upvotes, $300
  65. [XSS/3dsecure.qiwi.com] 3DSecure XSS to QIWI - 8 upvotes, $250
  66. [rubm.qiwi.com] Yui charts.swf XSS to QIWI - 8 upvotes, $200
  67. Xss on billing to QIWI - 8 upvotes, $200
  68. какой-то исходный код в корне сайта to QIWI - 8 upvotes, $50
  69. disclosing clients' secret keys https://stage-uapi.tochka.com:2000/ to QIWI - 7 upvotes, $150
  70. Open Redirect in meeting.qiwi.com to QIWI - 7 upvotes, $100
  71. [ibank.qiwi.ru] UI Redressing via Request-URI to QIWI - 6 upvotes, $150
  72. Stored xss in agent.qiwi.com to QIWI - 6 upvotes, $100
  73. Content Spoofing in mango.qiwi.com to QIWI - 5 upvotes, $150
  74. [z.tochka.com] Unlimited file uploads lead to malware executed to QIWI - 5 upvotes, $0
  75. Открытый доступ к корпоративным данным. to QIWI - 4 upvotes, $500
  76. [qiwi.com] Open Redirect to QIWI - 4 upvotes, $150
  77. Keychain data persistence may lead to account takeover to QIWI - 4 upvotes, $100
  78. https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании to QIWI - 3 upvotes, $500
  79. [wallet.rapida.ru] Mass SMS flood to QIWI - 3 upvotes, $200
  80. Session Cookie without HttpOnly and secure flag set to QIWI - 3 upvotes, $100
  81. [ishop.qiwi.com] XSS + Misconfiguration to QIWI - 2 upvotes, $200
  82. CRLF Injection [ishop.qiwi.com] to QIWI - 1 upvotes, $250
  83. [static.qiwi.com] XSS proxy.html to QIWI - 1 upvotes, $200
  84. [qiwi.com] /oauth/confirm.action XSS to QIWI - 1 upvotes, $100
  85. Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number to QIWI - 1 upvotes, $0
  86. Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails to QIWI - 1 upvotes, $0
  87. SSL Certificate on qiwi.com will expire soon. to QIWI - 1 upvotes, $0
  88. [send.qiwi.ru] XSS at auth?login= to QIWI - 0 upvotes, $200
  89. XSS Reflected in test.qiwi.ru to QIWI - 0 upvotes, $200