Add files via upload

ViolationofSecureDesignPrinciples/10027.txt

@@ -0,0 +1,18 @@
+ReportLink:https://hackerone.com/reports/10027
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/redshark1802
+ReportedTo:Mail.ru(mailru)
+BountyAmount:
+Severity:
+State:Closed
+DateOfDisclosure:27.05.2014 17:07:49
+
+Summary:
+
+Hallo,
+
+e.mail.ru is not properly protected with SSL encryption
+It is possible to login without using HTTPS, this could to lead man-in-the-middle password-disclosure.
+
+The best,
+Simon

ViolationofSecureDesignPrinciples/100956.txt

@@ -0,0 +1,23 @@
+ReportLink:https://hackerone.com/reports/100956
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/jurajk
+ReportedTo:Shopify(shopify)
+BountyAmount:
+Severity:
+State:Closed
+DateOfDisclosure:01.12.2015 22:39:11
+
+Summary:
+
+PoC:
+1) Protect your e-shop with a password (Storefront password)
+2) Go to your e-shop URL and enter the password to access the store
+3) There is a cookie created - name: storefront_digest - this cookie contains the password (in a secure way) which protects your store
+4) This cookie is not marked as HttpOnly, so if there is e.g. XSS, anyone can steal this cookie
+5) With this cookie anyone can access your "Opening soon" e-shop, even if he doesn't know the password
+
+Before you answered I would like to confirm that I read shopify terms and:
+1) I don't care about he password strength. It is not important in that case
+2) I am pretty sure that this cookie - storefront_digest - is a sensitive cookie since by stealing this cookie you can access resources you shouldn't be able to...
+
+Thank you. 

ViolationofSecureDesignPrinciples/10109.txt

@@ -0,0 +1,12 @@
+ReportLink:https://hackerone.com/reports/10109
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/dawidczagan
+ReportedTo:HackerOne(security)
+BountyAmount:
+Severity:
+State:Closed
+DateOfDisclosure:30.04.2014 22:02:01
+
+Summary:
+
+There seems to be no prevention from sending multiple password reset links to a selected e-mail. As a result mailbox of the user can be flooded with these mails. I would recommend to add CAPTCHA in forgot password functionality.

ViolationofSecureDesignPrinciples/102327.txt

@@ -0,0 +1,16 @@
+ReportLink:https://hackerone.com/reports/102327
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/ckmk44
+ReportedTo:withinsecurity(withinsecurity)
+BountyAmount:250.0
+Severity:
+State:Closed
+DateOfDisclosure:21.01.2016 4:55:48
+
+Summary:
+
+Hi,
+content injection in withinsecurity :
+[https://withinsecurity.com/wp-login.php?error=Please log in through prashanthvarma.in ](https://withinsecurity.com/wp-login.php?error=Please log in through prashanthvarma.in . This is content injection)
+Regards
+prashanth varma

ViolationofSecureDesignPrinciples/10377.txt

@@ -0,0 +1,34 @@
+ReportLink:https://hackerone.com/reports/10377
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/faisalahmed
+ReportedTo:C2FO(c2fo)
+BountyAmount:
+Severity:
+State:Closed
+DateOfDisclosure:23.09.2014 0:15:39
+
+Summary:
+
+Hello,
+There is an user sessions issue on your application that should be fixed.
+
+Proof of Concept
+------------------------
+Suppose, you have an account on *C2FO* (app.c2fo.com).
+Somehow an attacker manage to get your password and logged in your account.. after knowing that your ID has been compromised what you'll do ?
+i guess first thing that will popup into your head is, "I should change my password!" and you'll change the password.. maximum users just change his/her password when they recover their ID.
+in *C2FO*, changing the password doesn't destroys the other sessions which are logged in with old passwords.
+As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active.. he'll have complete access on your account till that session expires!
+So, your account remains insecure even after the changing of password.
+
+PATCH
+----------
+
+* When some change his/her password, each and every active sessions that belongs to that particular account must be destroyed!
+*  I would recommend you to follow Facebook on this security issue.. They fixed this issue few months back by adding a process that asks users whether user want to close all open sessions or not right after changing password.
+
+So there is two way, either you let users to choose if they want to keep active sessions or just destroy every active sessions when an users change his/her password!
+
+I look forward to hearing from you!
+
+Thanks and Best Wishes.

ViolationofSecureDesignPrinciples/105953.txt

@@ -0,0 +1,13 @@
+ReportLink:https://hackerone.com/reports/105953
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/goro
+ReportedTo:HackerOne(security)
+BountyAmount:500.0
+Severity:
+State:Closed
+DateOfDisclosure:19.12.2015 2:02:54
+
+Summary:
+
+Hello! For example we have a link `https://hackerone.com/blog/introducing-signal-and-impact`, and we will change it to `https://hackerone.com/blog/introducing-signal-and-impact?&u=https://vk.com/durov`. If you send a link to the user and he wants to share a link to facebook, the content will change.
+`https://www.facebook.com/sharer.php?u=https://hackerone.com/blog/introducing-signal-and-impact?&u=https://vk.com/durov`

ViolationofSecureDesignPrinciples/106024.txt

@@ -0,0 +1,31 @@
+ReportLink:https://hackerone.com/reports/106024
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/gorang_joshi
+ReportedTo:ownCloud(owncloud)
+BountyAmount:
+Severity:
+State:Closed
+DateOfDisclosure:14.03.2016 12:19:11
+
+Summary:
+
+Hello Owncloud ! 
+For Example , We Have a Link :
+```
+https://owncloud.com/blog-you-can-soon-be-fined/
+```
+And We Change It To :-
+```
+https://owncloud.com/blog-you-can-soon-be-fined/?u=https://vk.com&text=another_site:https://hackerone.com/gorang_joshi
+```
+So When You Share It , While Using Your Sharing Buttons Present On Your Page , The Source Code Will Change :
+Facebook : ```https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fowncloud.com%2Fblog-you-can-soon-be-fined%2F%3Fu%3Dhttps%3A%2F%2Fvk.com&text=another_site%3Ahttps%3A%2F%2Fhackerone.com%2Fgorang_joshi```
+
+
+twitter :```https://twitter.com/intent/tweet?text=another_site%3Ahttps%3A%2F%2Fhackerone.com%2Fgorang_joshi&url=https%3A%2F%2Fowncloud.com%2Fblog-you-can-soon-be-fined%2F%3Fu%3Dhttps%3A%2F%2Fvk.com&original_referer=```
+
+Thanks , The Same Report Was Reported By My Friend To Hackerone , You Can Check This Here :
+```
+https://hackerone.com/reports/105953
+```
+Thanks , Hope You'll Response Likewise :)

ViolationofSecureDesignPrinciples/106305.txt

@@ -0,0 +1,17 @@
+ReportLink:https://hackerone.com/reports/106305
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/ashish_r_padelkar
+ReportedTo:HackerOne(security)
+BountyAmount:500.0
+Severity:
+State:Closed
+DateOfDisclosure:07.01.2016 2:01:00
+
+Summary:
+
+New section has been added recently in reputation where you can see  something called as signal , which says average reputation per report. However, you can improve your signal points by following below steps
+
+Steps:
+create any report in any team
+self close the bug
+see your signal in reputation. it will improve!.

ViolationofSecureDesignPrinciples/106348.txt

@@ -0,0 +1,30 @@
+ReportLink:https://hackerone.com/reports/106348
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/djamel-ghorab
+ReportedTo:Algolia(algolia)
+BountyAmount:100.0
+Severity:
+State:Closed
+DateOfDisclosure:09.05.2016 18:44:53
+
+Summary:
+
+Hello i want to report a text injection and a missconfiguration of the 404 page which can be used in phishing
+
+the bug exists at :
+
+https://www.algolia.com/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.crowdcurity.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
+
+https://blog.algolia.com//test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.crowdcurity.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
+
+
+
+as you can see attacker text is included 
+"It has been changed by a new one https://www.crowdcurity.com so go to the new one since this one was not found on this server."
+
+
+Fix : just use a 404 page that don't include attacker text just as : hackerone do 
+or just as you do in your other  domain 
+http://status.algolia.com/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.crowdcurity.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
+hope you fix it
+ thanks

ViolationofSecureDesignPrinciples/106350.txt

@@ -0,0 +1,23 @@
+ReportLink:https://hackerone.com/reports/106350
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/djamel-ghorab
+ReportedTo:withinsecurity(withinsecurity)
+BountyAmount:250.0
+Severity:
+State:Closed
+DateOfDisclosure:16.01.2016 1:05:51
+
+Summary:
+
+Hello i want to report a text injection and a missconfiguration of the 404 page which can be used in phishing
+
+the bug exists at :
+
+https://withinsecurity.com/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.crowdcurity.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
+
+as you can see attacker text is included 
+"It has been changed by a new one https://www.crowdcurity.com so go to the new one since this one was not found on this server."
+
+Fix : just use a 404 page that don't include attacker text just as : hackerone do (a 404 page that don't include any externel text 
+hope you fix it
+thanks

ViolationofSecureDesignPrinciples/107877.txt

@@ -0,0 +1,11 @@
+ReportLink:https://hackerone.com/reports/107877
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/pisarenko
+ReportedTo:VK.com(vkcom)
+BountyAmount:500.0
+Severity:
+State:Closed
+DateOfDisclosure:13.02.2017 17:34:22
+
+Summary:
+Отсутствие flood-контроля в api методе регистрации, что давало возможность отправлять массово смс или звонить на произвольный номер.

ViolationofSecureDesignPrinciples/108645.txt

@@ -0,0 +1,12 @@
+ReportLink:https://hackerone.com/reports/108645
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/whit537
+ReportedTo:Gratipay(gratipay)
+BountyAmount:
+Severity:medium
+State:Closed
+DateOfDisclosure:16.04.2017 17:42:44
+
+Summary:
+
+Over in #87531, we're about to roll out a protection against using our "resend email verification" feature to mail-bomb a third party. However, chad+foo@zetaweb.com and chad+bar@zetaweb.com are not unlikely to fold down to the same address. In order to close that loophole, I suppose we'd need to either implement email address parsing—but what folding rules are we going to observer?—or throttle based on the authenticated user and not the `to` field, as @rohitpaulk suggested over on #87531 for other reasons.

ViolationofSecureDesignPrinciples/108692.txt

@@ -0,0 +1,46 @@
+ReportLink:https://hackerone.com/reports/108692
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/ishahriyar
+ReportedTo:ownCloud(owncloud)
+BountyAmount:
+Severity:
+State:Closed
+DateOfDisclosure:06.02.2016 16:11:39
+
+Summary:
+
+
+
+I have come across with a HTTPS security issue - compromises HTTPS security by loading images from non secure source in stats.owncloud.org
+Vulnerability Type: Mixed Active Scripting Issue
+
+Description:
+Mixed Active Content is content that has access to and can affect all or parts of the Document Object Model (DOM) of an HTTPS page. This type of mixed content can alter the behavior of an HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks for Mixed Passive Content, Mixed Active Content is also exposed to a number of additional attack vectors.
+A MITM attacker can intercept requests for HTTP active content. The attacker can then re-write the response to include malicious JavaScript /fonts code. Malicious script can steal the user’s credentials, acquire sensitive data about the user, or attempt to install malware on the user’s system (by leveraging vulnerable plugins the user has installed, for example).
+
+Criticality level: Medium
+
+Criticality level justification:
+Data which is transmitted in this link could be read by An attacker who is in Same network in some cases this could help to steal information.
+
+Steps:
+1) Visit link https://stats.owncloud.org
+2) Press F12 to open Developers tool in Google Chrome OR IE OR in Firefox browser and observe console. You will come across security error - "A Secure Hypertext Transfer Protocol (HTTPS) page has content from a non-secure source.
+
+Mixed content security error messages: : Firefox= 'Loading mixed (insecure) display content "http://stats.owncloud.org/misc/user/logo.png'
+. This content should also be served over HTTPS.
+
+Scenario:
+There are 3 easy steps to attack the user through a mixed content vulnerability…
+1) Set-up a Man-in-the-Middle attack. These are most easily done on public networks such as those in coffee shops or airports.
+2) Use a mixed content vulnerability to inject a malicious javascript file. Malicious code will run in an HTTPS website that the user browsers to. The key point is that the HTTPS site has a mixed content vulnerability on it, which means that it executes content downloaded over HTTP. This is where the Man-in-the-Middle attack and Mixed Content vulnerability combine into a dangerous scenario.
+“If some attacker is able to either tamper with Javascript or stylesheet files he can effectively also tamper with the other content on your page (e.g. by modifying the DOM ). So it’s either all or nothing. Either all of your elements are served using SSL, then you are secure. Or you load some Javascript or stylesheet files from a plain HTTP connection, then you aren’t secure anymore.”
+3) Steal the user’s identity (or do other bad things).
+
+Solution ::
+Make sure all content in the page including images, js, fonts are from HTTPS sources.
+
+Reference : http://msdn.microsoft.com/en-us/library/ie/dn423949(v=vs.85).aspx
+Video :: http://www.youtube.com/watch?v=zEV3HOuM_Vw
+
+Thanks.

ViolationofSecureDesignPrinciples/108723.txt

@@ -0,0 +1,86 @@
+ReportLink:https://hackerone.com/reports/108723
+WeaknessName:Violation of Secure Design Principles
+Reporter:https://hackerone.com/backus
+ReportedTo:Ruby on Rails(rails)
+BountyAmount:250.0
+Severity:medium
+State:Closed
+DateOfDisclosure:12.02.2016 20:03:57
+
+Summary:
+Possible Input Validation Circumvention in Active Model
+
+There is a possible input validation circumvention vulnerability in Active
+Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753.
+
+Versions Affected:  4.1.0 and newer
+Not affected:       4.0.13 and older
+Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1
+
+Impact
+------
+Code that uses Active Model based models (including Active Record models) and
+does not validate user input before passing it to the model can be subject to
+an attack where specially crafted input will cause the model to skip
+validations.
+
+Vulnerable code will look something like this:
+
+```ruby
+SomeModel.new(unverified_user_input)
+```
+
+Rails users using Strong Parameters are generally not impacted by this issue
+as they are encouraged to whitelist parameters and must specifically opt-out
+of input verification using the `permit!` method to allow mass assignment.
+
+For example, a vulnerable Rails application will have code that looks like
+this:
+
+```ruby
+def create
+  params.permit! # allow all parameters
+  @user = User.new params[:users]
+end
+```
+
+Active Model and Active Record objects are not equipped to handle arbitrary
+user input.  It is up to the application to verify input before passing it to
+Active Model models.  Rails users already have Strong Parameters in place to
+handle white listing, but applications using Active Model and Active Record
+outside of a Rails environment may be impacted.
+
+All users running an affected release should either upgrade or use one of the
+workarounds immediately.
+
+Releases
+--------
+The FIXED releases are available at the normal locations.
+
+Workarounds
+-----------
+There are several workarounds depending on the application.  Inside a Rails
+application, stop using `permit!`.  Outside a Rails application, either use
+Hash#slice to select the parameters you need, or integrate Strong Parameters
+with your application.
+
+Patches
+-------
+To aid users who aren't able to upgrade immediately we have provided patches for
+the two supported release series. They are in git-am format and consist of a
+single changeset.
+
+* 4-1-validation_skip.patch - Patch for 4.1 series
+* 4-2-validation_skip.patch - Patch for 4.2 series
+* 5-0-validation_skip.patch - Patch for 5.0 series
+
+Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+of earlier unsupported releases are advised to upgrade as soon as possible as we
+cannot guarantee the continued availability of security fixes for unsupported
+releases.
+
+Credits
+-------
+Thanks to:
+
+[John Backus](https://github.com/backus) from BlockScore for reporting this!