itsvarmakollu – Open Bug Bounty Blog

For Researchers

Report a Vulnerability Report and help remediate a vulnerability found on any website	Write a Blog Post Write a blog post to share your knowledge and get kudos
Browse Bug Bounty Programs Browse active bug bounty programs run by website owners	Ask a Question Ask questions and share your improvement ideas

How it Works

Download presentation and learn
how our platform works

PDF, 1MB

For Owners

Start a Bug Bounty Start your bug bounty program at no cost and leverage crowd-security testing	Ask a Question Ask questions or let us know how to make Open Bug Bounty even better
API Request National CERTs and law enforcement agencies may request our API

How it Works

Download presentation and learn
how our platform works

PDF, 1MB

Hall of Fame

Top Security Researchers They make Web a safer place by reporting and helping remediate vulnerabilities	Acknowledgements Website owners share their experience of collaboration with the researchers

How it Works

Download presentation and learn
how our platform works

PDF, 1MB

About

About the Project Read about Open Bug Bounty history, values and mission	Latest Reports Browse the most recent vulnerability submissions
Contact Us Get in touch

How it Works

Download presentation and learn
how our platform works

PDF, 1MB

Forum
Blog

XSS vulnerabilities discovered in ServiceNow – CVE-2022-38463

Posted on January 16, 2023January 16, 2023 by itsvarmakollu

Hey everyone, This is a blog related to my recent CVE on ServiceNow.It was found while testing a bug bounty program that was using ServiceNow and their in-scope domain was ‘redacted.service-now.com’. I searched the ServiceNow exploits on google and found that the domain was vulnerable to CVE-2019-20768 and CVE-2021-45901. I reported them and the reports…

Turning cookie-based XSS into account takeover

Posted on January 16, 2023January 16, 2023 by itsvarmakollu

The cookie-based XSS One evening I started hunting on the Terrahost Bug Bounty program. I was testing the terrahost.no main domain. There was a functionality where I could choose the service, then register an account and place an order. So I did that. I chose Virtual Hosting and put all the data – username, address,…