Page 1 of 1

Correct way to submit a vulnerability that needs access/register

Posted: Thu Jan 24, 2019 6:39 pm
by LukkasssG
Hello.

I've one question for you, do you take submissions that needs the user to login to the website? If so, what's the procedure to report that ones? I'm asking that, because of one that I made, the ID is 727374 and it got denied as "Can't reproduce Vulnerability", but it's there. The website is free to use but the user needs to register, I've created an user and submitted it with the report and the correct steps to reproduce the vulnerability but it stills got "can't reproduce vulnerability".

Am I doing something wrong or just out of lucky?

Re: Correct way to submit an vulnerability that needs access/register

Posted: Thu Jan 24, 2019 7:09 pm
by jesuismaxy
surely u can just add the cookie to the report for the test account when ur logged in

Re: Correct way to submit an vulnerability that needs access/register

Posted: Thu Jan 24, 2019 11:57 pm
by LukkasssG
jesuismaxy wrote:
Thu Jan 24, 2019 7:09 pm
surely u can just add the cookie to the report for the test account when ur logged in
I thought about that, but there's also the session expiration time...

Re: Correct way to submit an vulnerability that needs access/register

Posted: Fri Jan 25, 2019 7:44 am
by x1admin
Just provide login & password via comment

Re: Correct way to submit an vulnerability that needs access/register

Posted: Fri Jan 25, 2019 3:30 pm
by LukkasssG
x1admin wrote:
Fri Jan 25, 2019 7:44 am
Just provide login & password via comment
Could you please check the report ID 727374, I think I've sent in the comments, can't remember exactly, it got can't reproduce status but the vulnerability still works as of today.

Thanks in advance.

Re: Correct way to submit an vulnerability that needs access/register

Posted: Mon Jan 28, 2019 7:45 am
by x1admin
LukkasssG wrote:
Fri Jan 25, 2019 3:30 pm
x1admin wrote:
Fri Jan 25, 2019 7:44 am
Just provide login & password via comment
Could you please check the report ID 727374, I think I've sent in the comments, can't remember exactly, it got can't reproduce status but the vulnerability still works as of today.

Thanks in advance.
approved

Re: Correct way to submit a vulnerability that needs access/register

Posted: Wed May 01, 2019 2:27 pm
by Guyu91425081
Ah, hello. my first submission today, html injection (custom perl backend framework) possible only as a logged in user. I didn't attach any user/pwd nor a cookie.
Ouch, it'll get bashed.
Thanks for the info.