Submitting Same Vulnerabilities?
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
So I recently noticed this -
Upon looking at the submissions they appear to be all duplicates that other researchers have submitted.
Let's take the top three in the picture for example -
https://www.xssposed.org/incidents/117652/ (submitted here first - https://www.xssposed.org/incidents/99318/)
https://www.xssposed.org/incidents/117651/ (submitted here first - https://www.xssposed.org/incidents/99323/)
https://www.xssposed.org/incidents/117650/ (submitted here first - https://www.xssposed.org/incidents/99350/)
I know some people had issues with me submitting previously unidentified vulnerabilities in mass but I've yet to see someone say anything about this so I thought I'd point it out as it essentially makes the "Top Researchers" section aimless.
Upon looking at the submissions they appear to be all duplicates that other researchers have submitted.
Let's take the top three in the picture for example -
https://www.xssposed.org/incidents/117652/ (submitted here first - https://www.xssposed.org/incidents/99318/)
https://www.xssposed.org/incidents/117651/ (submitted here first - https://www.xssposed.org/incidents/99323/)
https://www.xssposed.org/incidents/117650/ (submitted here first - https://www.xssposed.org/incidents/99350/)
I know some people had issues with me submitting previously unidentified vulnerabilities in mass but I've yet to see someone say anything about this so I thought I'd point it out as it essentially makes the "Top Researchers" section aimless.
Last edited by Spam404Online on Tue Jan 26, 2016 7:14 pm, edited 1 time in total.
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submitting Same Vulnerabilities?
Looks like same thing today, flooding VIP submissions with duplicates -
Re: Submitting Same Vulnerabilities?
We deleted the 3 doubles. Please let us know in the future when somebody cheats and re-submits existing vulnerabilities - all these vulnerabilities will be immediately deleted.
We will also change a little bit submission validation system to prevent such doubles (when the same parameter is re-submitted via different HTTP method).
We will also change a little bit submission validation system to prevent such doubles (when the same parameter is re-submitted via different HTTP method).
Re: Submitting Same Vulnerabilities?
And in the future please also ping the researcher in question directly when you see such cases - will save a lot of time to us.
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submitting Same Vulnerabilities?
Thanks for the feedback here!x1admin wrote:And in the future please also ping the researcher in question directly when you see such cases - will save a lot of time to us.
I did email the researcher on the second day I noticed this happening, didn't hear anything back though unfortunately.
Here's some more duplicates for deletion -
https://www.xssposed.org/incidents/118095/
https://www.xssposed.org/incidents/118094/
https://www.xssposed.org/incidents/118093/
https://www.xssposed.org/incidents/118090/
https://www.xssposed.org/incidents/118089/
https://www.xssposed.org/incidents/118088/
https://www.xssposed.org/incidents/118087/
https://www.xssposed.org/incidents/118086/
https://www.xssposed.org/incidents/117598/
Re: Submitting Same Vulnerabilities?
Deleted all duplicates. Let us know if there are anymore.
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submitting Same Vulnerabilities?
Thanks again.x1admin wrote:Deleted all duplicates. Let us know if there are anymore.
I found what seems to be another submission bug. This time affecting open redirect submissions.
First submission - https://www.xssposed.org/incidents/72776/
Duplicate - https://www.xssposed.org/incidents/118532/
It seems if the redirect URL for XSSPosed is different than the previous submission(s) it is accepted. In this case a single forward slash was missing at the end on the duplicate resulting in it's success, can this be prevented?
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submitting Same Vulnerabilities?
I also just noticed this -
https://www.xssposed.org/incidents/118578/
https://www.xssposed.org/incidents/118581/
https://www.xssposed.org/incidents/118582/
Maybe blacklist URL shortener domains from being accepted? I don't think they should be considered open redirects
----> https://i.gyazo.com/5126ce0fda9976175fd ... 3c4238.png
https://www.xssposed.org/incidents/118578/
https://www.xssposed.org/incidents/118581/
https://www.xssposed.org/incidents/118582/
Maybe blacklist URL shortener domains from being accepted? I don't think they should be considered open redirects
----> https://i.gyazo.com/5126ce0fda9976175fd ... 3c4238.png
-
- Posts:296
- Joined:Mon Nov 23, 2015 6:43 pm
- Contact:
Re: Submitting Same Vulnerabilities?
Thanks!
More for deletion -
Using HTTP Post Data -
https://www.xssposed.org/incidents/118085/
https://www.xssposed.org/incidents/118084/
https://www.xssposed.org/incidents/118082/
https://www.xssposed.org/incidents/118075/
https://www.xssposed.org/incidents/118071/
https://www.xssposed.org/incidents/118069/
https://www.xssposed.org/incidents/118065/
https://www.xssposed.org/incidents/118061/
https://www.xssposed.org/incidents/118059/
https://www.xssposed.org/incidents/118058/
https://www.xssposed.org/incidents/118057/
https://www.xssposed.org/incidents/118056/
https://www.xssposed.org/incidents/118055/
https://www.xssposed.org/incidents/118054/
https://www.xssposed.org/incidents/118052/
https://www.xssposed.org/incidents/118051/
https://www.xssposed.org/incidents/118050/
https://www.xssposed.org/incidents/117649/
https://www.xssposed.org/incidents/117648/
https://www.xssposed.org/incidents/117647/
https://www.xssposed.org/incidents/117646/
https://www.xssposed.org/incidents/117645/
https://www.xssposed.org/incidents/117643/
https://www.xssposed.org/incidents/117642/
https://www.xssposed.org/incidents/117639/
https://www.xssposed.org/incidents/117638/
https://www.xssposed.org/incidents/117637/
https://www.xssposed.org/incidents/117634/
https://www.xssposed.org/incidents/117633/
https://www.xssposed.org/incidents/117629/
https://www.xssposed.org/incidents/117622/
https://www.xssposed.org/incidents/117620/
https://www.xssposed.org/incidents/117619/
https://www.xssposed.org/incidents/117617/
https://www.xssposed.org/incidents/117616/
https://www.xssposed.org/incidents/117615/
https://www.xssposed.org/incidents/117614/
https://www.xssposed.org/incidents/117613/
https://www.xssposed.org/incidents/117611/
https://www.xssposed.org/incidents/117610/
https://www.xssposed.org/incidents/117608/
https://www.xssposed.org/incidents/117607/
https://www.xssposed.org/incidents/117606/
https://www.xssposed.org/incidents/117605/
https://www.xssposed.org/incidents/117604/
https://www.xssposed.org/incidents/117602/
https://www.xssposed.org/incidents/117601/
https://www.xssposed.org/incidents/117599/
https://www.xssposed.org/incidents/117597/
https://www.xssposed.org/incidents/117595/
https://www.xssposed.org/incidents/119124/
URL Shorteners -
https://www.xssposed.org/incidents/118594/
https://www.xssposed.org/incidents/82076/
https://www.xssposed.org/incidents/63884/
https://www.xssposed.org/incidents/118595/
https://www.xssposed.org/incidents/48810/
https://www.xssposed.org/incidents/82080/
https://www.xssposed.org/incidents/118593/
https://www.xssposed.org/incidents/118592/
https://www.xssposed.org/incidents/118585/
https://www.xssposed.org/incidents/118584/
https://www.xssposed.org/incidents/118583/
https://www.xssposed.org/incidents/48996/
https://www.xssposed.org/incidents/48971/
https://www.xssposed.org/incidents/82083/
https://www.xssposed.org/incidents/82085/
https://www.xssposed.org/incidents/82065/
More for deletion -
Using HTTP Post Data -
https://www.xssposed.org/incidents/118085/
https://www.xssposed.org/incidents/118084/
https://www.xssposed.org/incidents/118082/
https://www.xssposed.org/incidents/118075/
https://www.xssposed.org/incidents/118071/
https://www.xssposed.org/incidents/118069/
https://www.xssposed.org/incidents/118065/
https://www.xssposed.org/incidents/118061/
https://www.xssposed.org/incidents/118059/
https://www.xssposed.org/incidents/118058/
https://www.xssposed.org/incidents/118057/
https://www.xssposed.org/incidents/118056/
https://www.xssposed.org/incidents/118055/
https://www.xssposed.org/incidents/118054/
https://www.xssposed.org/incidents/118052/
https://www.xssposed.org/incidents/118051/
https://www.xssposed.org/incidents/118050/
https://www.xssposed.org/incidents/117649/
https://www.xssposed.org/incidents/117648/
https://www.xssposed.org/incidents/117647/
https://www.xssposed.org/incidents/117646/
https://www.xssposed.org/incidents/117645/
https://www.xssposed.org/incidents/117643/
https://www.xssposed.org/incidents/117642/
https://www.xssposed.org/incidents/117639/
https://www.xssposed.org/incidents/117638/
https://www.xssposed.org/incidents/117637/
https://www.xssposed.org/incidents/117634/
https://www.xssposed.org/incidents/117633/
https://www.xssposed.org/incidents/117629/
https://www.xssposed.org/incidents/117622/
https://www.xssposed.org/incidents/117620/
https://www.xssposed.org/incidents/117619/
https://www.xssposed.org/incidents/117617/
https://www.xssposed.org/incidents/117616/
https://www.xssposed.org/incidents/117615/
https://www.xssposed.org/incidents/117614/
https://www.xssposed.org/incidents/117613/
https://www.xssposed.org/incidents/117611/
https://www.xssposed.org/incidents/117610/
https://www.xssposed.org/incidents/117608/
https://www.xssposed.org/incidents/117607/
https://www.xssposed.org/incidents/117606/
https://www.xssposed.org/incidents/117605/
https://www.xssposed.org/incidents/117604/
https://www.xssposed.org/incidents/117602/
https://www.xssposed.org/incidents/117601/
https://www.xssposed.org/incidents/117599/
https://www.xssposed.org/incidents/117597/
https://www.xssposed.org/incidents/117595/
https://www.xssposed.org/incidents/119124/
URL Shorteners -
https://www.xssposed.org/incidents/118594/
https://www.xssposed.org/incidents/82076/
https://www.xssposed.org/incidents/63884/
https://www.xssposed.org/incidents/118595/
https://www.xssposed.org/incidents/48810/
https://www.xssposed.org/incidents/82080/
https://www.xssposed.org/incidents/118593/
https://www.xssposed.org/incidents/118592/
https://www.xssposed.org/incidents/118585/
https://www.xssposed.org/incidents/118584/
https://www.xssposed.org/incidents/118583/
https://www.xssposed.org/incidents/48996/
https://www.xssposed.org/incidents/48971/
https://www.xssposed.org/incidents/82083/
https://www.xssposed.org/incidents/82085/
https://www.xssposed.org/incidents/82065/
Who is online
Users browsing this forum: No registered users and 2 guests