Improper Access Control – Generic: Unrestricted access to any “connected pack” on docs in

Summary: When adding a pack to the doc, a post request is sent to[doc ID]/packs with data {“packId”:[pack Id]} where doc ID is the id of doc user wishes to add pack and pack ID is the pack user wants to install. But this request was unrestricted and the user could iterate the…

Stored XSS on

I was surfing the internet when I came across this web portal which I found to be vulnerable to Reflected XSS. So I attempted to make a Stored XSS because I noticed a kind of message board. I have created a temporary email for registering on the website, then I completed the registration phase….

SQL Injection Payload List

In this section, we’ll explain what SQL injection is, describe some common examples, explain how to find and exploit various kinds of SQL injection vulnerabilities, and summarize how to prevent SQL injection.

What is SQL injection (SQLi)?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

Brief Recap of Open Bug Bounty’s Record Growth in 2019

Dear Researchers and Website Owners,

First of all, we wish you a Happy and Secure New Year 2020:

With almost half-a-million vulnerability reports today, we are happy to present you a brief recap of our relentless and steady growth in 2019 attained with your valuable support and contribution that we greatly appreciate:

  • 203,449 security vulnerabilities were reported in total (500 per day), being a 32% yearly grow

  • 101,931 vulnerabilities were fixed by website owners, likewise showing a 30% growth compared to the previous year

  • 5,832 new security researchers joined the community, making the total number of researchers and security experts 13,532

  • 383 new bug bounty programs were created by website owners, now offering 657 programs in total with over 1342 websites to test

Best security researchers and top-rated Bug Bounty programs are available on the main page of our website, where we recently refreshed the design.

In 2020, we plan to introduce new features requested by the researchers and website owners to further improve their experience, accelerate smooth communications and reduce vulnerability remediation time.

New DevSecOps vulnerability data export options are also coming soon to facilitate crowd security testing integration with corporate CI/CD and DevSecOps strategy.

We are receiving a considerable number of incoming proposals from commercial companies to support the project, or even to merge with their own solutions and platforms. We may consider one or even several partnerships in 2020 to ensure even a faster development of our project, however, the Open Bug Bounty will always remain open, community-driven and free.

Please don’t hesitate to promote our project among you contacts and on social networks!

Thank you for making Web a safer place with us!