Text And Typography

Click here

title: Awesome Bugbounty Writeups author: Elsfa7-110 categories: [XSS, Tutorial] tags: [XSS] pin: true —

Contents

• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Clickjacking (UI Redressing Attack)
• Local File Inclusion (LFI)
• Subdomain Takeover
• Denial of Service (DOS)
• Authentication Bypass
• SQL injection
• Insecure Direct Object Reference (IDOR)
• 2FA Related issues
• CORS Related issues
• Server Side Request Forgery (SSRF)
• Race Condition
• Remote Code Execution (RCE)
• Android Pentesting
• Contributing
• Maintainers

Cross Site Scripting (XSS)

• From P5 to P2 to 100 BXSS
• Google Acquisition XSS (Apigee)
• DOM-Based XSS at accounts.google.com by Google Voice Extension
• XSS on Microsoft.com via Angular Js template injection
• Researching Polymorphic Images for XSS on Google Scholar
• Netflix Party Simple XSS
• Stored XSS in google nest
• Self XSS to persistent XSS on login portal
• Universal XSS affecting Firefox
• XSS WAF Character limitation bypass like a boss
• Self XSS to Account Takeover
• Reflected XSS on Microsoft subdomains
• The tricky XSS
• Reflected XSS in AT&T
• XSS on Google using Acunetix
• Exploiting websocket application wide XSS
• Reflected XSS with HTTP Smuggling
• XSS on Facebook instagram CDN server bypassing signature protection
• XSS on Facebook’s Acquisition Oculus
• XSS on sony Subdomain
• Exploiting Self XSS
• Effortlessly Finding Cross Site Scripting inclusion XSSI
• Bugbounty a DOM XSS
• Blind XSS : a mind Game
• FireFox IOS QR code reader XSS(CVE-2019-17003)
• HTML injection to XSS

• [CVE-2020-13487

  Authenticated Stored Cross-site Scripting in bbPress](https://hackerone.com/reports/881918)

• XSS at error page of repository code
• XSS like a Pro
• How I turned self XSS to stored XSS via CSRF
• XSS Stored on Outlook web
• XSS Bug 20 Chars Blind XSS Payload
• XSS in AMP4EMAIL(DOM clobbering)
• DOM Based XSS bug bounty writeup
• XSS will never die
• 5000 USD XSS issue at avast desktop antivirus
• XSS to account takeover
• How Paypal helped me to generate XSS
• Bypass Uppercase filters like a PRO(XSS advanced methods)
• Stealing login credentials with reflected XSS
• bughunting xss on cookie popup warning
• XSS is love
• Oneplus XSS vulnerability in customer support portal
• Exploiting cookie based XSS by finding RCE
• Stored XSS on zendesk via macros
• XSS in ZOHO main
• DOM based XSS in private program
• Bugbounty writeup : Take Attention and get stored XSSS
• How I xssed admin account
• Clickjacking XSS on google
• Stored XSS on laporbugid
• Leveraging angularjs based XSS to privilege escalation
• How I found XSS by searching in shodan
• Chaining caache poisining to stored XSS
• XSS to RCE
• XSS on twitter worth 1120
• Reflected XSS in ebay.com
• Cookie based XSS exolpoitation 2300 bug bounty
• What do netcat -SMTP-self XSS have in common
• XSS on google custom search engine
• Story of a Full Account Takeover vulnerability N/A to Accepted
• Yeah I got p2 in 1 minute stored XSS via markdown editor
• Stored XSS on indeed
• Self XSS to evil XSS
• How a classical XSS can lead to persistent ATO vulnerability
• Reflected XSS in tokopedia train ticket
• Bypassing XSS filter and stealing user credit card data
• Googleplex.com blind XSS
• Reflected XSS on error page
• How I was able to get private ticket response panel and fortigate web panel via blind XSS
• Unicode vs WAF
• Story of URI based XSS with some simple google dorking
• Stored XSS on edmodo
• XSSed my way to 1000
• Try harder for XSS
• From parameter pollution to XSS
• MIME sniffing XSS
• Stored XSS on techprofile Microsoft
• Tale of a wormable Twitter XSS
• XSS attacks google bot index manipulation
• From Reflected XSS to Account takeover
• Stealing local storage data through XSS
• CSRF attack can lead to stored XSS
• XSS Reflected (filter bypass)
• XSS protection bypass on hackerone private program
• Just 5 minutes to get my 2nd Stored XSS on edmodo.com
• Multiple XSS in skype.com
• Obtaining XSS using moodle featured and minor bugs
• XSS on 403 forbidden bypass akamai WAF
• How I was turn self XSS into reflected XSS
• A Tale of 3 XSS
• Stored XSS on Google.com
• Stored XSS in the Guides gameplaersion (www.dota2.com)
• Admin google.com reflected XSS
• Paypal Stored security bypass
• Paypal DOM XSS main domain
• Bugbounty : The 5k$ Google XSS
• Facebook stored XSS
• Ebay mobile reflected XSS
• Magix bugbounty XSS writeup
• Abusing CORS for an XSS on flickr
• XSS on google groups
• Oracle XSS
• Content types and XSS Facebook Studio
• Admob Creative image XSS
• Amazon Packaging feedback XSS
• PaypalTech XSS
• Persistent XSS on my world
• Google VRP XSS in device management
• Google VRP XSS
• Google VRP Blind XSS
• WAZE XSS
• Referer Based XSS
• How we invented the Tesla DOM XSS
• Stored XSS on rockstar game
• How I was able to bypass strong XSS protection in well known website imgur.com
• Self XSS to Good XSS
• That escalated quickly : from partial CSRF to reflected XSS to complete CSRF to Stored XSS
• XSS using dynamically generated js file
• Bypassing XSS filtering at anchor Tags
• XSS by tossing cookies
• Coinbase angularjs dom XSS via kiteworks
• Medium Content spoofing and XSS
• Managed Apps and music a tale of two XSSes in Google play
• Making an XSS triggered by CSP bypass on twitter
• Escalating XSS in phantomjs image rendering to SSRF
• Reflected XSS in Simplerisk
• Stored XSS in the heart of the russian email provider
• How I built an XSS worm on atmail
• XSS on bugcrowd and so many other websites main domain
• Godaddy XSS affects parked domains redirector Processor
• Stored XSS in Google image search
• A pair of plotly bugs stored XSS abd AWS metadata
• Near universal XSS in mcafee web gateway
• Penetrating Pornhub XSS vulns
• How I found a 5000 Google maps XSS by fiddling with protobuf
• Airbnb when bypassing json encoding XSS filter WAF CSP and auditior turns into eight vulnerabilities
• Lightwight markup a trio of persistent XSS in gitlab
• XSS ONE BAY
• SVG XSS in unifi
• Stored XSS in unifi V4.8.12 controller
• Turning self XSS into good XSS v2
• SWF XSS DOM Based XSS
• XSS filter bypass in Yahoo Dev flurry
• XSS on Flickr
• Two vulnerabilities makes an exploit XSS and csrf in bing
• Runkeeper stored XSS
• Google sleeping XSS awakens 5k bounty
• Poisoning the well compromising godaddy customer support with blind XSS
• UBER turning self XSS to good XSS
• XSS on facebook via png content types
• Cloudflare XSS
• How I found XSS Vulnerability in Google
• XSS to RCE
• One payload to XSS them all
• Self XSS on komunitas
• Reclected XSS on alibabacloud
• Self XSS on komunitas bukalapak
• A real XSS in OLX
• Self XSS using IE adobes
• Stealing local storage through XSS
• 1000 USD in 5mins Stored XSS in Outlook
• OLX reflected XSS
• My first stored XSS on edmodo.com
• Hack your form new vector for BXSS
• How I found Blind XSS vulnerability in redacted.com
• 3 XSS in protonmail for iOS
• XSS in edmodo wihinin 5 mins
• Stil work redirect Yahoo subdomain XSS
• XSS in azure devOps
• Shopify reflected XSS
• Muliple Stored XSS on tokopedia
• Stored XSS on edmodo
• A unique XSS scenario 1000 Bounty
• Protonmail XSS Stored
• Chaining tricky ouath exploitation to stored XSS
• Antihack XSS to php uplaod
• Reflected XSS in zomato
• XSS through SWF file
• Hackyourform BXSS
• Reflected XSS on ASUS
• Stored XSS via Alternate text at zendesk support
• How I stumbled upon a stored XSS : my first bug bounty story
• Cookie based Self XSS to Good XSS
• Reflected XSS on amazon
• XSS worm : a creative use of web application vulnerability
• Google code in XSS
• Self XSS on indeed.com
• How I accidentally found XSS in Protonmail for iOS app
• XML XSS in yandex.ru by accident
• Critical Stored XSS vulnerability
• XSS bypass using META tag in realestate.postnl.nl
• Edmodo XSS bug
• XSS in hiden input fields
• How I discovered XSS that affected over 20 uber subdomains
• DOM based XSS or why you should not rely on cloudflare too much
• XSS in dynamics 365
• XSS deface with html and how to convert the html into charcode
• Cookie based injection XSS making explitable with exploiting other vulns
• XSS with put in ghost blog
• XSS using a Bug in safari and why blacklists are stupid
• Magic XSS with two parameters
• DOM XSS bug affecting tinder shopify Yelp
• Persistent XSS unvalidated open graph embed at linkedin.com
• My first 0day exploit CSP Bypass Reflected XSS
• Google Stored XSS in payments
• XSS on dropbox
• Weaponizing XSS attacking internal domains
• How I XSSed UBER and bypassed CSP
• RXSS and CSRF bypass to Account takeover
• Another XSS in google collaboratory
• How I bypassed AKAMAI waf in overstock.com
• Reflected XSS at philips.com
• XSS vulnerabilities in multiple iframe busters affecting top tier sites
• Reflected DOM XSS and clickjacking silvergoldbull
• Stored XSS vulnerability in h1 private
• Authbypass SQLi and XSS
• Stored XSS vulnerability in tumblr
• XSS in google code jam
• Mapbox XSS
• My first valid XSS
• Stored XSS in webcomponents.org
• 3 minutes XSS
• icloud.com DOM based XSS
• XSS at hubspot and in email areas
• Self XSS leads to blind XSS and Reflected XSS
• Refltected XSS primagames.com
• Stored XSS in gameskinny
• Blind XSS in Chrome experments Google
• Yahoo two XSSI vulnerabilities chained to steal user information (750$)
• How I found XSS on amazon
• A blind XSS in messengers twins
• XSS in microsoft Subdomain
• Persistent XSS at ah.nl
• The 12000 intersection betwenn clickjaking , XSS and DOS
• XSS in google collaboratory CSP bypass
• How I found blind XSS in apple
• Reflected XSS on amazon.com
• How I found XSS in 360totalsecurity
• The 2.5 BTC Stored XSS
• XSS Vulnerability in Netflix
• A story of a UXSS via DOM XSS clickjacking in steam inventory helper
• How I found XSS via SSRF vulnerability
• Searching for XSS found ldap injection
• how I converted SSRF to XSS in a SSRF vulnerable JIRA
• Reflected XSS in Yahoo subdomain
• Account takeover and blind XSS
• How I found 5 stored XSS on a private program
• Persistent XSS to steal passwords(Paypal)
• Self XSS + CSRF to stored XSS
• Stored XSS in yahoo and subdomains
• XSS in microsoft
• Blind XSS at customer support panel
• Reflected XSS on stackoverflow
• Stored XSS in Yahoo
• XSS 403 forbidden Bypass
• Turning self XSS into non self XSS via authorization issue at paypal
• A story of stored XSS bypass
• Mangobaaz hacked XSS to credentials
• How I got stored XSS using file upload
• Bypassing CSP to abusing XSS filter in edge
• XSS to session Hijacking
• Reflected XSS on www.zomato.com
• XSS in subdomain of yahoo
• XSS in yahoo.net subdomain
• Reflected XSS moongaloop swf version 62x
• Google adwords 3133.7 Stored XSS
• How I found a surprising XSS vulnerability on oracle netsuite
• Stored XSS on snapchat
• How I was able to bypass XSS protection on h1 private program
• Reflected XSS possible
• XSS via angularjs template injection hostinger
• Microsoft follow feature XSS (CVE-2017-8514)
• XSS protection bypass made my quickest bounty ever
• Taking note XSS to RCE in the simplenote electron client
• VMWARE official vcdx reflected XSS
• How I pwned a company using IDOR and Blind XSS
• From Recon to DOM based XSS
• Local file read via XSS
• Non persistent XSS at microsoft
• A Stored XSS in google (double kill)
• Filter bypass to Reflected XSS on finance.yahoo.com (mobile version)
• 900$ XSS in yahoo : recon wins
• How I bypassed practos firewall and triggered an XSS vulnerability
• Stored XSS to full information disclosure
• Story of parameter specific XSS
• Chaining self XSS with UI redressing leading to session hijacking
• Stored XSS with arbitrary cookie installation
• Reflective XSS and Open redirect on indeed.com subdomain
• How I found reflected XSS on Yahoo subdomain
• Dont just alert(1) because XSS is more fun
• UBER XSS by helpe of KNOXSS
• Reflected XSS in Yahoo
• Reflected XSS on ww.yahoo.com
• XSS because of wrong content type header

Cross Site Request Forgery (CSRF)

• How a simple CSRF attack turned into a P1
• How I exploited the json csrf with method override technique
• How I found CSRF(my first bounty)
• Exploiting websocket application wide XSS and CSRF
• Site wide CSRF on popular program
• Using CSRF I got weird account takeover
• CSRF CSRF CSRF
• Google Bugbounty CSRF in learndigital.withgoogle.com
• CSRF token bypass [a tale of 2k bug]
• 2FA bypass via CSRF attack
• Stored iframe injection CSRF account takeover
• Instagram delete media CSRF
• An inconsistent CSRF
• Bypass CSRF with clickjacking worth 1250
• Sitewide CSRF graphql
• Account takeover using CSRF json based
• CORS to CSRF attack
• My first CSRF to account takeover
• 4x chained CSRFs chained for account takeover
• CSRF can lead to stored XSS
• Yet other examples of abusing CSRF in logout
• Wordpress CSRF to RCE
• Bruteforce user IDs via CSRF to delete all the users with CSRF attack
• CSRF Bypass using cross frame scripting
• Account takeover via CSRF
• A very useful technique to bypass the CSRF protection
• CSRF account takeover exlpained automated manual bugbounty
• CSRF to account takeover
• How I got 500USD from microsoft for CSRF vulnerability
• Critical Bypass CSRF protection
• RXSS CSRF bypass to full account takeover
• Youtube CSRF
• Self XSS + CSRF = Stored XSS
• Ribose IDOR with simple CSRF bypass unrestrcited changes and deletion to other photo profile
• JSON CSRF attack on a social networking site
• Hacking facebook oculus integration CSRF
• Amazon leaking CSRF token using service worker
• Facebook graphql CSRF
• Chain the vulnerabilities and take your report impact on the moon csrf to html injection
• Partial CSRF to Full CSRF
• Stealing access token of one drive integration by chain csrf vulnerability
• Metasploit web project kill all running taks CSRF CVE-2017-5244
• Messenger site wide CSRF
• Hacking Facebook CSRF device login flow
• Two vulnerabilities makes an exploit XSS and CSRF in bing
• How I bypassed Facebook in 2016
• Ubiquiti bugbounty unifi generic CSRF protection Bypass
• Bypass Facebook CSRF
• Facebook CSRF full account takeover

Clickjacking (UI redressing attack)

• Google Bug bounty Clickjacking on Google payment
• Google APIs Clickjacking worth 1337$
• Clickjacking + XSS on Google org
• Bypass CSRF with clickjacking on Google org
• 1800 worth Clickjacking
• Account takeover with clickjacking
• Clickjacking on google CSE
• How I accidentally found clickjacking in Facebook
• Clickjacking on google myaccount worth 7500
• Clickjacking in google docs and void typing feature
• Reflected DOM XSS and Clickjacking
• binary.com clickjacking vulnerability exploiting HTML5 security features
• 12000 intersection betwen clickjacking XSS and denial of service
• Steam fire and paste : a story of uxss via DOM XSS and Clickjacking in steam inventory helper
• Yet another Google Clickjacking
• Redressing instagram leaking application tokens via instagram clickjacking vulnerability
• Self XSS to Good XSS and Clickjacking
• Microsoft Yammer clickjacking exploiting HTML5 security features
• Firefox find my device clickjacking
• Whatsapp Clickjacking vulnerability
• Telegram WEB client clickjacking vulnerability
• Facebook Clickjacking : how we put a new dress on facebook UI

Local File Inclusion (LFI)

• RFI LFI Writeup
• My first LFI
• Bug bounty LFI at Google.com
• Google LFI on production servers in redacted.google.com
• LFI to 10 server pwn
• LFI in apigee portals
• Chain the bugs to pwn an organisation LFI unrestricted file upload to RCE
• How we got LFI in apache drill recom like a boss
• Bugbounty journey from LFI to RCE
• LFI to RCE on deutche telekom bugbounty
• From LFI to RCE via PHP sessions
• magix bugbounty magix.com XSS RCE SQLI and LFI
• LFI in nokia maps

Subdomain Takeover

• How I bought my way to subdomain takeover on tokopedia
• Subdomain Takeover via pantheon
• Subdomain takeover : a unique way
• Escalating subdomain takeover to steal sensitive stuff
• Subdomain takeover awarded 200
• Subdomain takeover via wufoo service
• Subdomain takeover via Hubspot
• Souq.com subdomain takeover
• Subdomain takeover : new level
• Subdomain takeover due to misconfigured project settings for custom domain
• Subdomain takeover via shopify vendor
• Subdomain takeover via unsecured s3 bucket
• Subdomain takeover worth 200
• Subdomain takeover via campaignmonitor
• How to do 55000 subdomain takeover in a blink of an eye
• Subdomain takeover Starbucks (Part 2)
• Subdomain takeover Starbucks
• Uber wildcard subdomain takeover
• Bugcrowd domain subdomain takeover vulnerability
• Subdomain takeover vulnerability (Lamborghini Hacked)
• Authentication bypass on uber’s SSO via subdomain takeover
• Authentication bypass on SSO ubnt.com via Subdomain takeover of ping.ubnt.com

Denial of Service (DOS)

• Long String DOS
• AIRDOS
• Denial of Service DOS vulnerability in script loader (CVE-2018-6389)
• Github actions DOS
• Application level denial of service
• Banner grabbing to DOS and memory corruption
• DOS across Facebook endpoints
• DOS on WAF protected sites
• DOS on Facebook android app using zero width no break characters
• Whatsapp DOS vulnerability on android and iOS
• Whatsapp DOS vulnerability in iOS android

Authentication Bypass

• Touch ID authentication Bypass on evernote and dropbox iOS apps
• Oauth authentication bypass on airbnb acquistion using wierd 1 char open redirect
• Two factor authentication bypass
• Instagram multi factor authentication bypass
• Authentication bypass in nodejs application
• Symantec authentication Bypass
• Authentication bypass in CISCO meraki
• Slack SAML authentocation bypass
• Authentication bypass on UBER’s SSO
• Authentication Bypass on airbnb via oauth tokens theft
• Inspect element leads to stripe account lockout authentication Bypass
• Authentication bypass on SSO ubnt.com

SQL Injection(SQLI)

• Tricky oracle SQLI situation
• Exploiting “Google BigQuery” SQLI
• SQLI via stopping the redirection to a login page
• Finding SQLI with white box analysis a recent bug example
• Bypassing a crappy WAF to exploit a blind SQLI
• SQL Injection in private-site.com/login.php
• Exploiting tricky blind SQLI
• SQLI in forget password fucntion
• SQLI Bug Bounty
• File Upload blind SQLI
• SQL Injection
• SQLI through User Agent
• SQLI in insert update query without comma
• SQLI for 50 bounty
• Abusing MYSQL CLients
• SQLI Authentication Bypass AutoTrader Webmail
• ZOL Zimbabwe Authentication Bypass to XSS & SQLi
• SQLI bootcamp.nutanix.com
• SQLI in University of Cambridge
• Making a blind SQLI a little less Blind SQLI
• SQLI amd silly WAF
• Attacking Postgresql Database
• Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection
• A 5 minute SQLI
• Union based SQLI writeup
• SQLI with load file and into outfile
• SQLI is Everywhere
• SQLI in Update Query Bug
• Blind SQLI Hootsuite
• Yahoo – Root Access SQLI – tw.yahoo.com
• Step by Step Exploiting SQLI in Oculus
• Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)
• Tesla Motors blind SQLI
• SQLI in Nokia Sites

Insecure Direct Object Reference (IDOR)

• Disclose Private Dashboard Chart’s name and data in Facebook Analytics
• Disclosing privately shared gaming clips of any user
• Adding anyone including non-friend and blocked people as co-host in personal event!
• Page analyst could view job application details
• Deleting Anyone’s Video Poll

2FA related issues

• 2FA Bypass via logical rate limiting Bypass
• Bypass 2FA in a website
• Weird and simple 2FA bypass
• How I cracked 2FA with simple factor bruteforce
• Instagram account is reactivated without entering 2FA
• How to bypass 2FA with a HTTP header
• How I hacked 40k user accounts of microsoft using 2FA bypass outlook
• How I abused 2FA to maintain persistence after password recovery change google microsoft instragram
• Bypass hackerone 2FA
• Facebook Bug bounty : How I was able to enumerate instagram accounts who had enabled 2FA

CORS related issues

• CORS bug on google’s 404 page (rewarded)
• CORS misconfiguration leading to private information disclosure
• CORS misconfiguration account takeover out of scope to grab items in scope
• Chrome CORS
• Bypassing CORS
• CORS to CSRF attack
• An unexploited CORS misconfiguration reflecting further issues
• Think outside the scope advanced cors exploitation techniques
• A simple CORS misconfiguration leaked private post of twitter facebook instagram
• Explpoiting CORS misconfiguration
• Full account takeover through CORS with connection sockets
• Exploiting insecure CORS API api.artsy.net
• Pre domain wildcard CORS exploitation
• Exploiting misconfigured CORS on popular BTC site
• Abusing CORS for an XSS on flickr

Server Side Request Forgery (SSRF)

• Exploiting an SSRF trials and tribulations
• SSRF on PDF generator
• Google VRP SSRF in Google cloud platform stackdriver
• Vimeo upload function SSRF
• SSRF via ffmeg processing
• My first SSRF using DNS rebinding
• Bugbounty simple SSRF
• SSRF reading local files from downnotifier server
• SSRF vulnerability
• Gain adfly SMTP access with SSRF via gopher protocol
• Blind SSRF in stripe.com due to senntry misconfiguration
• SSRF port issue hidden approch
• The jorney of web cache firewall bypass to SSRF to AWS credentials compromise
• SSRF to local file read and abusing aws metadata
• pdfreactor SSRF to root level local files read which lead to RCE
• SSRF trick : SSRF XSPA in micosoft’s bing webwaster
• Downnotifeer SSRF
• Escalating SSRF to RCE
• Vimeo SSRF with code execution potential
• SSRF in slack
• Exploiting SSRF like a boss
• AWS takeover SSRF javascript
• Into the borg of SSRF inside google production network
• SSRF to local file disclosure
• How I found an SSRF in yahoo guesthouse (recon wins)
• Reading internal files using SSRF vulnerability
• Airbnb chaining third party open redirect into SSRF via liveperson chat

Race Condition

• Exploiting a Race condition vulnerabililty
• Race condition that could result to RCE a story with an app
• Creating thinking is our everything : Race condition and business logic
• Chaining improper authorization to Race condition to harvest credit card details
• A Race condition bug in Facebook chat groups
• Race condition bypassing team limit
• Race condition on web
• Race condition bugs on Facebook
• Hacking Banks With Race Conditions
• Race Condition Bug In Web App: A Use Case
• RACE Condition vulnerability found in bug-bounty program
• How to check Race Conditions in Web Applications

Remote Code Execution (RCE)

• Microsoft RCE bugbounty
• OTP bruteforce account takeover
• Attacking helpdesk RCE chain on deskpro with bitdefender
• Remote image upload leads to RCE inject malicious code
• Finding a p1 in one minute with shodan.io RCE
• From recon to optimizing RCE results simple story with one of the biggest ICT company
• Uploading backdoor for fun and profit RCE DB creds P1
• Responsible Disclosure breaking out of a sandboxed editor to perform RCE
• Wordpress design flaw leads to woocommerce RCE
• Path traversal while uploading results in RCE
• RCE jenkins instance
• Traversing the path to RCE
• How I chained 4 bugs features into RCE on amazon
• RCE due to showexceptions
• Yahoo luminate RCE
• Latex to RCE private bug bounty program
• How I got hall of fame in two fortune 500 companies an RCE story
• RCE by uploading a web config
• 36k Google app engine RCE
• How I found 2.9 RCE at yahoo
• Bypass firewall to get RCE
• RCE vulnerabilite in yahoo subdomain
• RCE in duolingos tinycards app from android
• Unrestricted file upload to RCE
• Getting a RCE (CTF WAY)
• RCE starwars
• How I got 5500 from yahoo for RCE
• RCE in Addthis
• Paypal RCE
• My First RCE (Stressed Employee gets me 2x bounty)
• Abusing ImageMagick to obtain RCE
• How Snapdeal Kept their Users Data at Risk!
• RCE via ImageTragick
• How I Cracked 2FA with Simple Factor Brute-force!
• Found RCE but got Duplicated
• “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce eStores
• IDOR to RCE
• RCE on AEM instance without JAVA knowledge
• RCE with Flask Jinja tempelate Injection
• Race Condition that could result to RCE
• Chaining Two 0-Days to Compromise An Uber Wordpress
• Oculus Identity Verification bypass through Brute Force
• Used RCE as Root on marathon Instance
• Two easy RCE in Atlassian Products
• RCE in Ruby using mustache templates
• About a Sucuri RCE…and How Not to Handle Bug Bounty Reports
• Source code disclosure vulnerability
• Bypassing custom Token Authentication in a Mobile App
• Facebook’s Burglary Shopping List
• From SSRF To RCE in PDFReacter
• Apache strust RCE
• Dell KACE K1000 Remote Code Execution
• Handlebars Tempelate Injection and RCE
• Leaked Salesforce API access token at IKEA.com
• Zero Day RCE on Mozilla’s AWS Network
• Escalating SSRF to RCE
• Fixed : Brute-force Instagram account’s passwords
• Bug Bounty 101 — Always Check The Source Code
• ASUS RCE vulnerability on rma.asus-europe.eu
• Magento – RCE & Local File Read with low privilege admin rights
• RCE in Nokia.com
• Two RCE in SharePoint
• Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over
• RCE in Hubspot with EL injection in HubL
• Github Desktop RCE
• eBay Source Code leak
• Facebook source code disclosure in ads API
• XS-Searching Google’s bug tracker to find out vulnerable source code

Buffer Overflow Writeups

-Buffer Overflow Attack Book pdf -Github Reposirtory on Buffer Overflow Attack -Stack-Based Buffer Overflow Attacks: Explained and Examples -How Buffer Overflow Attacks Work -Binary Exploitation: Buffer Overflows -WHAT IS A BUFFER OVERFLOW? LEARN ABOUT BUFFER OVERRUN VULNERABILITIES, EXPLOITS & ATTACKS

Android Pentesting

-Android Pentesting Lab (Step by Step guide for beginners!)