The following is a list of some security vulnerabilities I’ve found on various websites. Some of them contain links to more detailed write-ups.
You can also find this list on my personal website.
Website | Problems | Reward | Accepted | Fixed | References |
---|---|---|---|---|---|
Google (googleplex.com) |
XSS | $ | Yes | Yes | Blog |
Google (google.org) |
XSS (stored) | $ | Yes | Yes | |
Google (google.org) |
XSS (DOM) | $ | Yes | Yes | Blog |
Google (google.org) | IDOR, User data information disclosure | $ | Yes | Yes | Blog |
Google (googleusercontent.com) | Image data leak | $ | Yes | No | |
Google (admin.googleusercontent.com) | Image leak | None | Yes | No | |
Google (storage.googleapis.com) | Image leak / auth bypass | $ | Yes | Yes | Blog |
Google (google.com) | 401 phishing attack vuln | None | No | No | |
Google (earth.google.com/studio) | IDOR, Auth Bypass, Null Byte Filename Injection | None | Yes | Yes | Blog |
Google (earth.google.com) | XSS | None | Yes | No | |
Google (console.firebase.google.com) | Auth Bypass | $ | Yes | Yes | Blog |
Google Code-in (codein.withgoogle.com) | XSS | $ | Yes | Yes | Blog |
Google Code Jam (codejam.withgoogle.com) | XSS | $ | Yes | Yes | Blog |
Google (android.com) |
Rate limit vuln | None | Yes | No | |
Google (g.co) | Unrestricted API endpoint | $ | Yes | No | |
Google (CloudConnectCommunity.com) | XSS (reflected, stored), Auth bypass | None | Yes | Yes | |
Google (WebComponents.org) | XSS | $ | Yes | Yes | Blog |
Google (business.google.com) | Open redirect | – | – | – | OBB, YouTube Video |
Google Maps API (google.com) | Unrestricted Google’s API key allowing quota theft | None | No | No | |
Google Drive (drive.google.com) | Google Drive Auth Bypass | None | No | No | |
Microsoft (earth.minecraft.net) | Reflected POST XSS in earth.minecraft.net, not-httponly cookie | None | Yes | Yes | |
heureka.cz | XSS (reflected, stored, DOM), CSRF, API authorization vulnerability | T-Shirt, HQ visit, $ | Yes | Yes | Article Czech |
leoexpress.com | XSS (reflected), API authorization vulnerability | None | Yes | Yes | OBB, Blog |
mcdonalds.com | XSS (reflected) | None | – | No | OBB, Blog |
uloz.to | XSS (stored) | T-Shirts |
Yes | Yes | |
mall.cz | XSS (stored) | None | Yes | Yes | OBB, YouTube Video, Blog |
southwest.com | XSS (reflected) | None | – | No | |
vodafone.cz | XSS (reflected) | None | – | Yes | OBB |
stahuj.cz | XSS (reflected) | None | – | No | OBB |
aukro.cz | XSS (stored), unrestricted system directories | None | – | Yes | |
mapy.cz | XSS (Stored) | None | Yes | Yes | |
api.mapy.cz | XSS (DOM) | None | Yes | No | |
zbozi.cz | XSS (Stored) | None | Yes | Yes | |
karaoketexty.cz | XSS (reflected) | None | No | No | |
databazeknih.cz | XSS (reflected) | None | Yes | Yes | |
hyperinzerce.cz | XSS (reflected, stored) | None | – | No | OBB |
blibli.com | XSS (reflected) | None | – | No | OBB |
domcop.com | XSS (stored) | None | – | Yes | |
maxon-campus.net | SQLi | None | – | Yes | Blog |
ceskatelevize.cz | XSS (reflected) | None | – | Yes | OBB |
yougapi.com | XSS (reflected) | None | – | No | OBB |
mobilmania.cz | XSS (reflected) | None | – | No | OBB |
erec.com.hr | XSS (reflected) | None | – | No | OBB |
mujsoubor.cz | XSS | None | – | No | OBB |
top-prace.sk | XSS, Path Traversal, CSFR, File listing | $ | Yes | Yes | |
hotely.cz | XSS (reflected) | None | – | No | OBB |
loupak.fun | XSS (reflected, stored) | None | Yes | Yes | OBB |
topreality.sk | XSS (reflected) | None | – | No | OBB |
ceskereality.cz | XSS (reflected) | None | – | No | OBB |
centrum.cz | XSS (reflected) | None | – | No | OBB |
landi.cz | XSS (reflected) | None | – | No | OBB |
libris.to | XSS (blind) | None | Yes | Yes | |
mail-tester.com | XSS (reflected) | None | Yes | Yes | OBB |
cenpac.net.nr | XSS (reflected) | None | – | No | OBB |
apollos.cz | XSS (reflected) | None | – | No | OBB |