pentester.land Open in urlscan Pro
2a06:98c1:3120::3  Public Scan

Form analysis
0 forms found in the DOM

Text Content

PENTESTER LAND

 * Writeups
 * Blog
 * Sponsor
 * Contact

--------------------------------------------------------------------------------

 * GitHub
 * Twitter

--------------------------------------------------------------------------------


SPONSORED BY

The fastest-growing bug bounty platform


Click here to join the Intigriti community


FAQ


WHAT IS THIS PAGE?

This is a directory of ethical hacking writeups including bug bounty,
responsible disclosure and pentest writeups.
My goal is to help you improve your hacking skills by making it easy to learn
about thousands of vulnerabilities that hackers found on different targets.


AM I ALLOWED TO HACK ON ALL THESE TARGETS?

No, not all programs included here have an ongoing bug bounty program or a
responsible disclosure program. So this page is NOT an invitation to hack on any
program mentioned.
Please make sure you are explicitly allowed to hack on a target before starting!



WHAT DOES EACH COLUMN MEAN?

 * Title - Title and link of the writeup (may include one or multiple links).
 * Tags - Vulnerabilities and topics mentioned.
 * Program - The vulnerable organization, bug bounty program or app. Remember,
   not all programs have a bug bounty program or responsible disclosure policy.
 * Author (Twitter handle) - The author(s) of the writeup and their Twitter
   handle.
 * Bounty
    * Amount of the monetary reward if there was one.
    * - means no bounty was mentioned or it was a pentest or responsible
      disclosure finding.
    * Note that bounties paid in other currencies are converted to $ for the
      sake of simplicity.

 * Publication date - The date on which the writeup was published.
 * Added date - The date on which the writeup was added to this directory.


HOW DO I MAKE THE BEST OF THIS TABLE?

Here are some features to help you quickly navigate the table:
 * Search bar (at top right of the table)
    * To search the whole table, all columns included.
    * This doesn't include the contents of writeups, only information that
      appears on this table.
    * E.g. searches: '2020', 'RCE', 'Google' or 'albinowax'

 * Small arrow icon (right to each column's name)
   Use it to sort the table by any column you want. By default, writeups are
   sorted by Added date.
 * "Show ... entries" (at the top left of the table)
    * Use this to specify the number of writeups you want to see: 10, 25, 50
      (default), 100 or All of them without pagination.
    * Avoid using "All" if you are on a mobile device, as it can make the page
      really slow (on mobile).
    * The settings you choose are saved in your browser (using localStorage). So
      when you close and revisit the site, you will find yourself on the last
      page you were reading before closing the browser or window.
    * If you find this behavior annoying and would prefer pagination settings to
      be forgotten every time you close the site, please let me know.

 * Download as JSON file
   Use this link to download the JSON file that was used to generate the table.


HOW CAN I SUBMIT MY OWN WRITEUP(S)?

You can submit your writeups by filling out this contact form (select "Submit a
writeup" as the subject).


WRITEUPS

Download as JSON file
Show 102550100All entries
Search:

TitleTagsProgramsAuthorsBountyPublication DateAdded Date

Title
Tags
Programs
Authors
Bounty
Publication Date
Added Date
Security Feature Bypass In ASP.NET and Visual Studio – Race ConditionRace
condition, BruteforceMicrosoftJack Moran, TC, Ethan
McKee-Harris-2023-07-122023-07-12Story of Clickjacking on Microsoft Leads To
Privilege Escalation & Account Takeover Of AdminClickjacking, Privilege
escalation, Account takeoverMicrosoftAbdul Rehman
Parkar-2023-07-122023-07-12Executing Arbitrary Code & Executables in Read-Only
FileSystemsKubernetes, Container security, Local Privilege Escalation-Golan
Myers-2023-07-122023-07-12Bee-yond Capacity: Unauthenticated RCE in Extreme
Networks/Aerohive Wireless APs - CVE-2023-35803Memory corruption, Buffer
Overflow, RCEExtreme NetworksLachlan Davidson
(@lachlan2k)-2023-07-122023-07-12Exploiting XSS in hidden inputs and meta
tagsXSS-Gareth Heyes (@garethheyes)-2023-07-112023-07-12An interesting RCE on a
Synack Red Team target!RCE, Groovy scripting-Daly Whyte
(@_d4ly_)-2023-07-112023-07-12Critical Foswiki Vulnerablities: A Logic Error
Turned Remote Code ExecutionRCE, Privilege escalation, Path
traversalFoswikiChristian Pöschl-2023-07-112023-07-12CVE-2023-29298: Adobe
ColdFusion Access Control BypassBroken Access Control, Logic flaw, Security code
review, ColdFusionAdobeStephen Fewer
(@stephenfewer)-2023-07-112023-07-12Unexpected Zero in MySQL InjectionSQL
injection-Dimaz Arno (@dimazarno)-2023-07-112023-07-12[REL] A Journey Into
Hacking Google Search ApplianceRCE, Line Feed injection, Path traversal,
Arbitrary file read, Information disclosure, Security code reviewGoogleDEVCORE
(@d3vc0r3)-2023-07-072023-07-12Linux local electron application script-src: self
bypassElectron, CSP bypass, XSS, RCE-Mizu
(@kevin_mizu)-2023-07-042023-07-12Multiple Vulnerabilities In Cockpit CMS <=
V2.5.2CSRF, Unrestricted file upload, RCE, XSS, IDOR, Security code
reviewCockpit CMSGhostCcamm (@GhostCcamm)-2023-06-302023-07-12Process
Mockingjay: Echoing RWX In Userland To Achieve Code ExecutionDLL injection, EDR
bypass, Process injection, Windows-Security Joes
(@SecurityJoes)-2023-06-272023-07-12Why ORMs and Prepared Statements Can't
(Always) WinSQL injection, RCE, Security code reviewSoko, Gentoo LinuxThomas
Chauchefoin (@swapgs)-2023-06-262023-07-12Multiple vulnerabilities in UCOPIA <=
6.0.7 (CVE-2022-44719 / CVE-2022-44720)Security misconfiguration, Local
Privilege Escalation, Internal pentestWeblib (Ucopia)Jean Bonnevie, Paul
Barbé-2023-06-262023-07-12[ GCP 2022 ] Few bugs in the google cloud shellCSRF,
Stored XSS, File upload, OAuthGoogleObmi$20,0002022-12-262023-07-12Account (of
the CEO) Takeover via Password ResetAccount takeover, Password reset,
IDOR-Cristi Vlad (@CristiVlad25)-2023-07-102023-07-11AWS CodeBuild + S3 ==
Privilege EscalationCloud, Privilege escalation-Paolo Cavaglià
(@Paupu_95)-2023-07-102023-07-11From Blackbox .NET Remoting to Unauthenticated
Remote Code ExecutionRCE, .NET Remoting, Insecure deserializationact!Florian
Hauser (@frycos)-2023-07-102023-07-11CVE-2023-36934 Analysis: MOVEit Transfer
SQL InjectionSQL injection, Security code reviewProgress (MOVEit Transfer)Rahul
Maini (@iamnoooob), Harsh Jaiswal (@rootxharsh)-2023-07-092023-07-11macOS
Atlassian Companion Remote Code ExecutionRCE, MacoS, Thick
clientAtlassianWojciech Reguła (@_r3ggi)-2023-07-092023-07-11Account Takeover
via Custom OTP, No User Interaction Required!Account takeover, OTP bypass,
Authentication bypass, Rate limiting bypass, Captcha bypass-Bhavuk Jain
(@bhavukjain1)-2023-07-082023-07-11Full Disclosure - DOM-based XSS And Failures
In Bug Bounty HuntingDOM XSS, CSS injection-Kuldeep Pandya
(@kuldeepdotexe)-2023-07-062023-07-11RCE In GitLab's CLI ToolRCE, OS command
injection, Security code reviewGitLabameya
(@0xtakemyhand)-2023-07-062023-07-11Windows Installer arbitrary content
manipulation Elevation of Privilege (CVE-2020-0911)Local Privilege
EscalationMicrosoft (Windows)clem (@clavoillotte), Jonas L
(@jonasLyk)-2023-07-062023-07-11Story Of My First RCE :)RCE, Default
credentials-0utlawh4ck3r (@outlawh4ck3r)-2023-07-062023-07-11Chaining for
Critical: Unauthorized to Cloud AdministratorSSRF, HTML injection-Jake
Wnuk-2023-07-052023-07-11Encrypted Doesn't Mean Authenticated: ShareFile RCE
(CVE-2023-24489)RCE, Path traversal, Cryptographic issues, Security code
reviewCitrix (ShareFile)Dylan Pindur-2023-07-042023-07-11Pulling SYSTEM out of
Windows GINAAuthentication bypass, Windows, Local Privilege EscalationZoho
(ManageEngine ADSelfService Plus)Pedro Ribeiro (@pedrib1337), João Bigotte,
Ashley King-2023-06-232023-07-11Getting email address of any HackerOne user
worth $7,500Information disclosureHackerOneJapz Divino
(@japzdivino)$7,5002023-07-042023-07-04Partial File Read in phpList <= 3.6.12
(CVE-2023-35834)Arbitrary file read, PHP filter chain, Security code
reviewphpListVincent Herbulot, Rémi Matasse
(@_remsio_)-2023-07-042023-07-04Hunting for Nginx Alias Traversals in the
wildPath traversalBitwarden, GoogleDaniel (Celesian) Matsumoto
(@c3l3si4n)$6,5002023-07-032023-07-04How We Found Another GitHub Action
Environment Injection Vulnerability in a Google ProjectCI/CD, RCEGoogle
(Orbit)Noam Dotan-2023-07-032023-07-04Technical Details of CVE-2023-30990 -
Unauthenticated RCE in IBM i DDM ServiceRCEIBMpz-2023-07-032023-07-04Domain
Takeover Without Domain Admin PermissionsActive Directory Privilege Escalation,
Internal pentest-Joe Helle (@joehelle)-2023-06-302023-07-04Server-side Template
Injection Leading to RCE on Google VRPSSTI, RCEGooglemizzleneupane
(@mizzle_neupane5)-2023-06-302023-07-04Chaining Self Blind XSS with Broken
Access Control To Make it Non Self Blind XSSBlind XSS, Self-XSS, Broken Access
Control-sudhanshu Kumar kashyap
(@ReebootToInit5)-2023-06-302023-07-04CVE-2023-33298 - Perimeter81 Local
Privilege EscalationLocal Privilege Escalation, MacOS, Reverse
engineeringPerimeter81NSEcho (@lateralusd_)-2023-06-302023-07-04Exploiting the
HP Printer without the printer (Pwn2Own 2022)Printer hacking, Buffer Overflow,
Memory corruptionHPInterrupt Labs
(@InterruptLabs)-2023-06-292023-07-04ServiceNow Insecure Access Control To Full
Admin TakeoverBroken Access Control, Privilege escalation, Account
takeoverServiceNowRezk0n (@Rezk0n)-2023-06-262023-07-04RCE via Path Traversal
vulnerability in Onlyoffice CommunityServer < 12.5.2 (CVE-2023-34939)Path
traversal, RCEOnlyOfficeKirill Firsov (@k_firsov)-2023-06-192023-07-04Hunting
for Bitwarden master passwords stored in memoryInformation disclosure, Memory
leak, Local Privilege EscalationBitwardenNaz Markuta
(@NazMarkuta)-2023-06-082023-07-04Patch Diffing CVE-2023-28121 to Compromise a
WooCommerceAuthentication bypass, Privilege escalation-Julien Ahrens
(@MrTuxracer)-2023-07-032023-07-03How Abusing AWS CloudFormation Led to a Total
Takeover of an AWS EnvironmentCloud, Information disclosure, Privilege
escalation, Account takeover-Nightbane (@Nightbanes)-2023-07-022023-07-03How did
I get 200$ with WordPress vulnerability!!!Information
disclosure-Nguhuynh$2002023-07-022023-07-03How i was able to get Account
Takeover via Insecure Data Storage and WebView With Exported ActivityAccount
takeover, Android, Webview, Insecure data storage, Firebase-Mohamed Reda
(@M0x0101)-2023-07-012023-07-03SSO Gadgets II: Unauthenticated Client-Side
Template Injection to Account Takeover using SSO Gadget ChainCSTI, Account
takeover, SSO, OpenID Connect-Lauritz Holtmann
(@_lauritz_)-2023-06-302023-07-03Laravel debug mode left on at Zouikwatzeggen.nl
leaks admin credentials & potentially submitted reports of improper behaviour at
Amsterdam University Medical CentersDebug mode enabled, Android, Email spoofing,
Information disclosureAmsterdamUMCJonathan Bouman
(@JonathanBouman)-2023-06-302023-07-03How I get 1000$ bounty for Discovering
Account Takeover in Android ApplicationAccount takeover, Android, Client-side
enforcement of server-side security, OTP bypass-Amol
Bhavar$1,0002023-06-302023-07-03Bug Writeup: Stored XSS to Account Takeover
(ATO) via GraphQL APIStored XSS, CSP bypass, Account takeover, GraphQL-Peter M
(@pmnh_)-2023-06-292023-07-03

Showing 1 to 50 of 5,397 entries
Previous12345…108Next


SPONSORED BY

The fastest-growing bug bounty platform


Click here to join the Intigriti community
 * 


Top