Skip to content

Latest commit

 

History

History
76 lines (72 loc) · 8.5 KB

TOPQIWI.md

File metadata and controls

76 lines (72 loc) · 8.5 KB
Raw

Back

Top reports from QIWI program at HackerOne:

  1. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 442 upvotes, $5500
  2. Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" to QIWI - 183 upvotes, $1000
  3. SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution to QIWI - 107 upvotes, $1000
  4. account takeover https://qiwi.me to QIWI - 105 upvotes, $750
  5. account takeover https://idea.qiwi.com/ to QIWI - 85 upvotes, $300
  6. DOM XSS triggered in secure support desk to QIWI - 63 upvotes, $500
  7. Обход комиссии на переводы to QIWI - 55 upvotes, $1050
  8. XXE on ██████████ by bypassing WAF ████ to QIWI - 49 upvotes, $5000
  9. [contact-sys.com] SQL Injection████ limit param to QIWI - 48 upvotes, $250
  10. account takeover https://teamplay.qiwi.com to QIWI - 40 upvotes, $500
  11. XML External Entity (XXE) in qiwi.com + waf bypass to QIWI - 39 upvotes, $3137
  12. apache access.log leakage via long request on https://rapida.ru/ to QIWI - 38 upvotes, $100
  13. [qiwi.me] Stored XSS to QIWI - 37 upvotes, $500
  14. [p2p.qiwi.com] nginx alias traversal to QIWI - 34 upvotes, $150
  15. Обход комиссии при оплате картой to QIWI - 32 upvotes, $1000
  16. [lk.contact-sys.com] SQL Injection reset_password FP_LK_USER_LOGIN to QIWI - 32 upvotes, $300
  17. XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации to QIWI - 30 upvotes, $200
  18. [qiwi.com] XSS on payment form to QIWI - 28 upvotes, $550
  19. Обход комиссии на переводы to QIWI - 21 upvotes, $1000
  20. [lk.contact-sys.com] LKlang Path Traversal to QIWI - 21 upvotes, $150
  21. [contact-sys.com] XSS /ajax/transfer/status trn param to QIWI - 21 upvotes, $100
  22. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 19 upvotes, $200
  23. [id.rapida.ru] Full Path Disclosure to QIWI - 19 upvotes, $50
  24. [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ to QIWI - 17 upvotes, $1000
  25. [qiwi.com] Oauth захват аккаунта to QIWI - 17 upvotes, $950
  26. Возможность регистрации на сайте qiwi.com на любой номер телефона to QIWI - 17 upvotes, $200
  27. Небезопасная схема выдачи номера карты QVC (возможно, также QVV и QVP) to QIWI - 17 upvotes, $200
  28. IDOR редактирование любого вишлиста to QIWI - 16 upvotes, $500
  29. [wallet.rapida.ru] XSS Cookie flashcookie to QIWI - 16 upvotes, $100
  30. Information disclosure on https://paycard.rapida.ru to QIWI - 15 upvotes, $100
  31. https://fundl.qiwi.com CSRF на подтверждении sms to QIWI - 15 upvotes, $100
  32. [sms.qiwi.ru] XSS via Request-URI to QIWI - 15 upvotes, $100
  33. [ibank.qiwi.ru] XSS via Request-URI to QIWI - 14 upvotes, $150
  34. [contact-sys.com] XSS via Request-URI to QIWI - 14 upvotes, $100
  35. Слив какого-то access токена to QIWI - 13 upvotes, $200
  36. Imformation Disclosure on id.rapida.ru to QIWI - 13 upvotes, $100
  37. Каким-то образом получил чужой платеж к себе на копилку https://qiwi.me/undefined to QIWI - 13 upvotes, $50
  38. [qiwi.com] Information Disclosure to QIWI - 12 upvotes, $150
  39. [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS to QIWI - 12 upvotes, $150
  40. Nickname disclosure through web-chat to QIWI - 12 upvotes, $150
  41. [vitrina.contact-sys.com] Full Path Disclosure to QIWI - 12 upvotes, $100
  42. [qiwi.me] No limits on image download requests to QIWI - 12 upvotes, $100
  43. hard-use account takeover qiwi.com to QIWI - 11 upvotes, $300
  44. [qiwi.com] .bash_history to QIWI - 10 upvotes, $100
  45. Раскрытие баланса на //kopilka.qiwi.com to QIWI - 8 upvotes, $300
  46. [XSS/3dsecure.qiwi.com] 3DSecure XSS to QIWI - 8 upvotes, $250
  47. [rubm.qiwi.com] Yui charts.swf XSS to QIWI - 8 upvotes, $200
  48. Xss on billing to QIWI - 8 upvotes, $200
  49. какой-то исходный код в корне сайта to QIWI - 8 upvotes, $50
  50. Раскрытие чувствительной информации composer.lock docker-compose.yml to QIWI - 7 upvotes, $100
  51. [ibank.qiwi.ru] UI Redressing via Request-URI to QIWI - 6 upvotes, $150
  52. Stored xss in agent.qiwi.com to QIWI - 6 upvotes, $100
  53. Open Redirect in meeting.qiwi.com to QIWI - 6 upvotes, $100
  54. Content Spoofing in mango.qiwi.com to QIWI - 5 upvotes, $150
  55. Keychain data persistence may lead to account takeover to QIWI - 4 upvotes, $100
  56. Открытый доступ к корпоративным данным. to QIWI - 3 upvotes, $500
  57. https://teamplay.qiwi.com/ накрутка баллов => финансовые убытки для компании to QIWI - 3 upvotes, $500
  58. [wallet.rapida.ru] Mass SMS flood to QIWI - 3 upvotes, $200
  59. [qiwi.com] Open Redirect to QIWI - 3 upvotes, $150
  60. [ishop.qiwi.com] XSS + Misconfiguration to QIWI - 2 upvotes, $200
  61. Session Cookie without HttpOnly and secure flag set to QIWI - 2 upvotes, $100
  62. CRLF Injection [ishop.qiwi.com] to QIWI - 1 upvotes, $250
  63. [static.qiwi.com] XSS proxy.html to QIWI - 1 upvotes, $200
  64. [qiwi.com] /oauth/confirm.action XSS to QIWI - 1 upvotes, $100
  65. Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number to QIWI - 1 upvotes, $0
  66. Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails to QIWI - 1 upvotes, $0
  67. SSL Certificate on qiwi.com will expire soon. to QIWI - 1 upvotes, $0
  68. [send.qiwi.ru] XSS at auth?login= to QIWI - 0 upvotes, $200
  69. XSS Reflected in test.qiwi.ru to QIWI - 0 upvotes, $200

Back