The following is a list of some security vulnerabilities I’ve found on various websites. Some of them contain links to more detailed write-ups. You can also find this list on my personal website.
Also check out the Web Security Cheatsheet.
| Website | Problems | Reward | Accepted | Fixed | References |
|---|---|---|---|---|---|
| Google (googleplex.com) |
XSS | $ | Yes | Yes | Blog |
| Google (google.org) |
XSS (stored) | $ | Yes | Yes | |
| Google (google.org) |
XSS (DOM) | $ | Yes | Yes | Blog |
| Google (google.org) | IDOR, User data information disclosure | $ | Yes | Yes | Blog |
| Google (googleusercontent.com) | Image data leak | $ | Yes | No | |
| Google (admin.googleusercontent.com) | Image leak | None | Yes | No | |
| Google (storage.googleapis.com) | Image leak / auth bypass | $ | Yes | Yes | Blog |
| Google (google.com) | 401 phishing attack vuln | None | No | No | |
| Google (earth.google.com/studio) | IDOR, Auth Bypass, Null Byte Filename Injection | None | Yes | Yes | Blog |
| Google (earth.google.com) | XSS | None | Yes | No | |
| Google (console.firebase.google.com) | Auth Bypass | $ | Yes | Yes | Blog |
| Google Code-in (codein.withgoogle.com) | XSS | $ | Yes | Yes | Blog |
| Google Code Jam (codejam.withgoogle.com) | XSS | $ | Yes | Yes | Blog |
| Google (android.com) |
Rate limit vuln | None | Yes | No | |
| Google (g.co) | Unrestricted API endpoint | $ | Yes | No | |
| Google (CloudConnectCommunity.com) | XSS (reflected, stored), Auth bypass | None | Yes | Yes | |
| Google (WebComponents.org) | XSS | $ | Yes | Yes | Blog |
| Google (business.google.com) | Open redirect | – | – | – | OBB, YouTube Video |
| Google Maps API (google.com) | Unrestricted Google’s API key allowing quota theft | None | No | No | |
| Google Drive (drive.google.com) | Google Drive Auth Bypass | None | No | No | |
| Google (threadit.app) | XSS (DOM) | $ | Yes | Yes | |
| Microsoft (earth.minecraft.net) | Reflected POST XSS in earth.minecraft.net, not-httponly cookie | None | Yes | Yes | |
| heureka.cz | XSS (reflected, stored, DOM), CSRF, API authorization vulnerability | T-Shirt, HQ visit, $ | Yes | Yes | Article Czech |
| leoexpress.com | XSS (reflected), API authorization vulnerability | None | Yes | Yes | OBB, Blog |
| mcdonalds.com | XSS (reflected) | None | – | No | OBB, Blog |
| uloz.to | XSS (stored) | T-Shirts |
Yes | Yes | |
| mall.cz | XSS (stored) | None | Yes | Yes | OBB, YouTube Video, Blog |
| southwest.com | XSS (reflected) | None | – | No | |
| vodafone.cz | XSS (reflected) | None | – | Yes | OBB |
| stahuj.cz | XSS (reflected) | None | – | No | OBB |
| aukro.cz | XSS (stored), unrestricted system directories | None | – | Yes | |
| mapy.cz | XSS (Stored) | None | Yes | Yes | |
| api.mapy.cz | XSS (DOM) | None | Yes | No | |
| zbozi.cz | XSS (Stored) | None | Yes | Yes | |
| karaoketexty.cz | XSS (reflected) | None | No | No | |
| databazeknih.cz | XSS (reflected) | None | Yes | Yes | |
| hyperinzerce.cz | XSS (reflected, stored) | None | – | No | OBB |
| blibli.com | XSS (reflected) | None | – | No | OBB |
| domcop.com | XSS (stored) | None | – | Yes | |
| maxon-campus.net | SQLi | None | – | Yes | Blog |
| ceskatelevize.cz | XSS (reflected) | None | – | Yes | OBB |
| yougapi.com | XSS (reflected) | None | – | No | OBB |
| mobilmania.cz | XSS (reflected) | None | – | No | OBB |
| erec.com.hr | XSS (reflected) | None | – | No | OBB |
| mujsoubor.cz | XSS | None | – | No | OBB |
| top-prace.sk | XSS, Path Traversal, CSFR, File listing | $ | Yes | Yes | |
| hotely.cz | XSS (reflected) | None | – | No | OBB |
| loupak.fun | XSS (reflected, stored) | None | Yes | Yes | OBB |
| topreality.sk | XSS (reflected) | None | – | No | OBB |
| ceskereality.cz | XSS (reflected) | None | – | No | OBB |
| centrum.cz | XSS (reflected) | None | – | No | OBB |
| landi.cz | XSS (reflected) | None | – | No | OBB |
| libris.to | XSS (blind) | None | Yes | Yes | |
| mail-tester.com | XSS (reflected) | None | Yes | Yes | OBB |
| cenpac.net.nr | XSS (reflected) | None | – | No | OBB |
| apollos.cz | XSS (reflected) | None | – | No | OBB |