pàgina inicial | índex del bloc


adrià romero.

alguns descobriments recents;
· █████.com (2017-06-27) - 04 x non-authenticated Cross-site Scripting.
· █████.com (2017-06-24) - 01 x info leak theft of private keys through publicly exposed .ssh/.
· █████.com (2017-06-24) - 01 x subdomain takeover (CloudFront).
· █████.com (2017-06-23) - 01 x command Execution via Local File Inclusion.
· █████.com (2017-06-10) - 01 x template injection.
· █████.com (2017-06-06) - 01 x publicly exposed .git/ (exposing all the source code and confidential information).
· █████.com (2017-06-06) - 02 x reflected content spoofing through error message.
· █████.com (2017-06-03) - 02 x Server Side Code Execution via Local File Inclusion (insecure upload of picture files).
· █████.com (2017-05-27) - 01 x reCAPTCHA bypass in the account creation process.
· █████.com (2017-05-26) - 02 x non-authenticated info leakage in chat system.
· netgear.com (2017-05-19) - 02 x non-authenticated Cross-site Scripting.
· netgear.com (2017-05-19) - 01 x non-authenticated open Redirect.
· netgear.com (2017-05-19) - 01 x Insecure Direct Object References.
· netgear.com (2017-05-19) - 01 x non-authenticated Insecure Direct Object References.
· adobe.com (2017-05-18) - 01 x non-authenticated open Redirect.
· █████.mil (2017-05-18) - 02 x non-authenticated Cross-site Scripting.
· █████.com (2017-05-18) - 01 x non-authenticated Cross-site Scripting.
· youporn.com (2017-05-16) - 01 x OAUTH bypass the regex redirect_uri validation (stolen access TOKEN code).
· pornhub.com (2017-05-16) - 01 x OAUTH bypass the regex redirect_uri validation (stolen access TOKEN code).
· pornhub.com (2017-05-16) - 01 x full path disclousure.
· █████.mil (2017-05-14) - 02 x non-authenticated SQL injection.
· █████.mil (2017-05-14) - 01 x full path disclousure.
· rockstargames.com (2017-05-03) - 02 x non-authenticated open Redirect.
· █████.com (2017-04-12) - 02 x Server Side Code Execution via Local File Inclusion (insecure upload of profile picture/csv files).
· █████.com (2017-04-12) - 05 x non-authenticated Cross-Site Scripting.
· █████.com (2017-02-20) - 13 x Insecure Direct Object References (API).
· █████.com (2017-02-20) - 01 x authenticated SQL injection.
· █████.com (2016-11-16) - 01 x Insecure Direct Object References.
· █████.com (2016-11-16) - 04 x non-authenticated Cross-Site Scripting.
· █████.com (2016-11-15) - 05 x non-authenticated open Redirect / unvalidated input destination.
· ebay.com (2016-11-12) - 01 x user/passwd/dbname postgresDB login disclosure.
· ebay.com (2016-10-11) - 01 x authentication Bypass.
· ebay.com (2016-10-11) - 02 x non-authenticated Cross-Site Scripting.
· adobe.com (2016-09-11) - 01 x non-authenticated Cross-Site Scripting.
· █████.mil (2016-09-10) - 06 x Insecure Direct Object References.
· █████.com (2016-09-09) - 01 x OAUTH bypass the regex redirect_uri validation (stolen access TOKEN code).
· █████.com (2016-09-09) - 06 x Insecure Direct Object References.
· █████.com (2016-08-14) - 02 x authentication Bypass.
· █████.com (2016-08-14) - 14 x non-authenticated Cross-Site Scripting.
· █████.com (2016-08-06) - 01 x non-authenticated Cross-Site Scripting.
· fiat.com (2016-08-0) - 03 x non-authenticated Cross-Site Scripting.
· nextCloud / ownCloud (2016-07-05) - 01 x Server Side Code Execution via Local File Inclusion (default configuration).
· nextCloud / ownCloud (2016-07-05) - 01 x non-authenticated Cross-Site Scripting (default configuration).
· nextCloud / ownCloud (2016-07-05) - 01 x non-authenticated open Redirect / unvalidated input destination (default configuration).
· nextCloud / ownCloud (2016-07-05) - 01 x non-authenticated info leak (default configuration).
· nextCloud / ownCloud (2016-07-05) - 01 x non-authenticated stealing private user data through a design flaw (default configuration).
· ingdirect.com (2016-07-08) - 02 x non-authenticated Cross-Site Scripting.
· gm.com (2016-07-08) - 02 x non-authenticated Cross-Site Scripting (General Motors).
· europa.eu (2016-06-10) - 08 x non-authenticated SQL injection.
· europa.eu (2016-06-10) - 58 x non-authenticated Cross-Site Scripting.
· europa.eu (2016-06-10) - 02 x non-authenticated PATH traversal with bypass Security Mechanism.
· europa.eu (2016-06-10) - 03 x non-authenticated open Redirect / unvalidated input destination.
· europa.eu (2016-06-10) - 06 x authenticated open Redirect / unvalidated input destination.
· europa.eu (2016-06-10) - 04 x non-authenticated full path disclosure due to a fatal error.
· europa.eu (2016-06-10) - 07 x non-authenticated version disclosure.
· europa.eu (2016-06-10) - 31 x non-authenticated clickjacking.
· █████.com (2016-06-05) - 08 x non-authenticated Cross-Site Scripting.
· mozilla.com (2016-03-24) - 02 x non-authenticated self-Cross-Site Scripting.
· █████.com (2016-03-20) - 03 x non-authenticated SQL injection.
· █████.com (2016-03-19) - 01 x non-authenticated Blind SQL injection.
· █████.com (2016-03-19) - 02 x non-authenticated Cross-Site Request Forgery (CSRF).
· vodafone.com (2016-02-19) - 02 x non-authenticated Open Redirect due Cross-Site Scripting.
· █████.com (2016-02-16) - 09 x Insecure Direct Object References.
· unifi controller v4.8.12 (2016-02-14) - non-authenticated Cross-Site Scripting.
· unifi controller v4.8.12 (2016-02-14) - non-authenticated open Redirect / unvalidated input destination.
· GNU bash 4.3 unicode/lib, static char *stub_charset() - stack buffer overflow.



Adrià Romero (adriaroms)