TOPETERNAL.md

Top reports from Eternal program at HackerOne:

1. Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com to Eternal - 557 upvotes, $0
2. [www.zomato.com] SQLi - /php/██████████ - item_id to Eternal - 320 upvotes, $4500
3. Improper Validation at Partners Login to Eternal - 248 upvotes, $2000
4. [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information to Eternal - 240 upvotes, $550
5. [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s) to Eternal - 228 upvotes, $0
6. SQL Injection in www.hyperpure.com to Eternal - 227 upvotes, $2000
7. [www.zomato.com] Blind XSS on one of the Admin Dashboard to Eternal - 218 upvotes, $750
8. Information Disclosure through Sentry Instance ███████ to Eternal - 176 upvotes, $750
9. Solr Injection in user_id parameter at :/v2/leaderboard_v2.json to Eternal - 137 upvotes, $2000
10. [api.zomato.com] Able to manipulate order amount to Eternal - 134 upvotes, $0
11. Able to manipulate order amount by removing cancellation amount and cause financial impact to Eternal - 129 upvotes, $0
12. Add upto 10K rupees to a wallet by paying an arbitrary amount to Eternal - 128 upvotes, $2000
13. Availing Zomato gold by using a random third-party wallet_id to Eternal - 115 upvotes, $2000
14. [Zomato Order] Insecure deeplink leads to sensitive information disclosure to Eternal - 112 upvotes, $750
15. [www.zomato.com] Leaking Email Addresses of merchants via reset password feature to Eternal - 111 upvotes, $0
16. Claiming the listing of a non-delivery restaurant through OTP manipulation to Eternal - 105 upvotes, $3250
17. Login to any account with the emailaddress to Eternal - 102 upvotes, $1000
18. [www.zomato.com] Blind XSS in one of the admin dashboard to Eternal - 101 upvotes, $500
19. Base alpha version code exposure to Eternal - 98 upvotes, $0
20. Subdomain takeover of fr1.vpn.zomans.com to Eternal - 96 upvotes, $350
21. credentials leakage in public lead to view dev websites to Eternal - 77 upvotes, $0
22. [www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss to Eternal - 76 upvotes, $0
23. [https://reviews.zomato.com] Time Based SQL Injection to Eternal - 71 upvotes, $1000
24. Page has a link to google drive which has logos and a few customer phone recordings to Eternal - 71 upvotes, $200
25. [www.zomato.com] Blind SQL Injection in /php/geto2banner to Eternal - 68 upvotes, $2000
26. [Zomato Android/iOS] Theft of user session to Eternal - 68 upvotes, $0
27. IDOR to delete images from other stores to Eternal - 63 upvotes, $600
28. [www.zomato.com] SQLi on order_id parameter to Eternal - 62 upvotes, $1000
29. [www.zomato.com] Blind XSS in one of the Admin Dashboard to Eternal - 61 upvotes, $0
30. subdomain takeover on fddkim.zomato.com to Eternal - 61 upvotes, $0
31. [www.zomato.com] Union SQLi + Waf Bypass to Eternal - 60 upvotes, $1000
32. Open AWS S3 bucket leaks all Images uploaded to Zomato chat to Eternal - 57 upvotes, $0
33. [www.zomato.com] Blind SQL Injection in /php/widgets_handler.php to Eternal - 53 upvotes, $2000
34. [Zomato for Business Android] Vulnerability in exported activity WebView to Eternal - 52 upvotes, $0
35. [auth2.zomato.com] Reflected XSS at oauth2/fallbacks/error | ORY Hydra an OAuth 2.0 and OpenID Connect Provider to Eternal - 50 upvotes, $0
36. Race condition in User comments Likes to Eternal - 44 upvotes, $0
37. [www.zomato.com] Boolean SQLi - /█████.php to Eternal - 41 upvotes, $1000
38. Blind XSS - Report review - Admin panel to Eternal - 41 upvotes, $350
39. IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid to Eternal - 37 upvotes, $250
40. Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification to Eternal - 36 upvotes, $300
41. [www.zomato.com] Boolean SQLi - /███████.php to Eternal - 35 upvotes, $1000
42. [www.zomato.com/dubai/gold] CRITICAL - Allowing arbitrary amount to become a GOLD Member to Eternal - 34 upvotes, $0
43. Unauthorised Access to Anyone's User Account to Eternal - 32 upvotes, $0
44. [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint to Eternal - 32 upvotes, $0
45. SSRF in https://www.zomato.com████ allows reading local files and website source code to Eternal - 32 upvotes, $0
46. Self-Stored XSS - Chained with login/logout CSRF to Eternal - 31 upvotes, $300
47. Admin Access to a domain used for development and admin access to internal dashboards on that domain to Eternal - 31 upvotes, $0
48. CORS Misconfiguration on www.zomato.com to Eternal - 30 upvotes, $0
49. Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone to Eternal - 28 upvotes, $1500
50. [█████████] Hardcoded credentials in Android App to Eternal - 28 upvotes, $500
51. [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php to Eternal - 26 upvotes, $200
52. HTML injection leads to reflected XSS to Eternal - 26 upvotes, $150
53. Use any User to Follow you (Increase Followers) [IDOR] to Eternal - 24 upvotes, $50
54. Reflected XSS on developers.zomato.com to Eternal - 23 upvotes, $100
55. [www.zomato.com] Abusing LocalParams to Inject Code through ███████ query to Eternal - 23 upvotes, $0
56. Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day to Eternal - 22 upvotes, $0
57. Length extension attack leading to HTML injection to Eternal - 21 upvotes, $100
58. [www.zomato.com] Unauthenticated access to Internal Sales Data of Zomato through an unrestricted endpoint to Eternal - 21 upvotes, $0
59. Ability to manipulate price with a max threshold of \<1 Rupee in support rider parameter to Eternal - 21 upvotes, $0
60. [www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users to Eternal - 20 upvotes, $100
61. SQL Injection, exploitable in boolean mode to Eternal - 20 upvotes, $0
62. [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato to Eternal - 20 upvotes, $0
63. Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI) to Eternal - 19 upvotes, $0
64. [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php to Eternal - 18 upvotes, $300
65. Amazon S3 bucket misconfiguration (share) to Eternal - 18 upvotes, $0
66. Free food bug done by burp suite to Eternal - 17 upvotes, $0
67. [www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at clients/promoDataHandler.php to Eternal - 16 upvotes, $0
68. Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService to Eternal - 15 upvotes, $300
69. HTML Injection @ /[restaurant]/order endpoint. to Eternal - 15 upvotes, $150
70. Posting to Twitter CSRF on php/post_twitter_authenticate.php to Eternal - 15 upvotes, $50
71. test.zba.se is vulnerable to SSL POODLE to Eternal - 15 upvotes, $0
72. takeover a lot of accounts to Eternal - 15 upvotes, $0
73. Restaurant payment information leakage to Eternal - 15 upvotes, $0
74. User Profiles Leak PII in HTML Document for Mobile Browser User Agents to Eternal - 15 upvotes, $0
75. Bypass OTP verification when placing Order to Eternal - 14 upvotes, $0
76. Reflected XSS on https://www.zomato.com to Eternal - 14 upvotes, $0
77. Zomato.com Reflected Cross Site Scripting to Eternal - 13 upvotes, $100
78. Bypass OTP verification when placing Order to Eternal - 13 upvotes, $0
79. Unauthorized update of merchants' information via /php/merchant_details.php to Eternal - 13 upvotes, $0
80. Potential server misconfiguration leads to disclosure of vendor/ directory to Eternal - 12 upvotes, $0
81. [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 to Eternal - 11 upvotes, $100
82. [www.zomato.com] Abusing LocalParams (city) to Inject SOLR query to Eternal - 11 upvotes, $100
83. Open Redirect On Your Login Panel to Eternal - 11 upvotes, $0
84. Sending Unlimited Emails to anyone from zomato mail server. to Eternal - 11 upvotes, $0
85. The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. to Eternal - 11 upvotes, $0
86. Visibility Robots.txt file to Eternal - 10 upvotes, $0
87. Reflected XSS on business-blog.zomato.com - Part I to Eternal - 10 upvotes, $0
88. IDOR in treat subscriptions to Eternal - 10 upvotes, $0
89. Mathematical error found in meals for one to Eternal - 10 upvotes, $0
90. Stored Cross site scripting to Eternal - 9 upvotes, $0
91. XSS onmouseover to Eternal - 9 upvotes, $0
92. Twitter Disconnect CSRF to Eternal - 9 upvotes, $0
93. Zomato Map server going out of memory while resizing map image to Eternal - 9 upvotes, $0
94. [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query to Eternal - 8 upvotes, $150
95. CSRF in the "Add restaurant picture" function to Eternal - 8 upvotes, $50
96. Reflected XSS in Zomato Mobile - category parameter to Eternal - 7 upvotes, $0
97. Bypassing the SMS sending limit for download app link. to Eternal - 7 upvotes, $0
98. Outdated MediaElement.js Reflected Cross-Site Scripting (XSS) to Eternal - 6 upvotes, $0
99. [www.zomato.com] Getting a complimentary dessert [Zomato Treats] on ordering a Meal at no cost to Eternal - 6 upvotes, $0
100. CSRF AT SELECTING ZAMATO HANDLE to Eternal - 5 upvotes, $0
101. Several XSS affecting Zomato.com and developers.zomato.com to Eternal - 5 upvotes, $0
102. CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER to Eternal - 5 upvotes, $0
103. Reflected XSS on business-blog.zomato.com - Part 2 to Eternal - 5 upvotes, $0
104. CSRF To Like/Unlike Photos to Eternal - 5 upvotes, $0
105. Subdomain Takeover to Eternal - 4 upvotes, $0
106. Weak Password Policy to Eternal - 4 upvotes, $0
107. Persistent input validation mail encoding vulnerability in the "just followed you" email notification. to Eternal - 4 upvotes, $0
108. Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow to Eternal - 4 upvotes, $0
109. Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay to Eternal - 4 upvotes, $0
110. Clickjacking login page of http://book.zomato.com/ to Eternal - 4 upvotes, $0
111. MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) to Eternal - 4 upvotes, $0
112. XSS in flashmediaelement.swf (business-blog.zomato.com) to Eternal - 4 upvotes, $0
113. xss found in zomato to Eternal - 4 upvotes, $0
114. XSS on zomato.com to Eternal - 3 upvotes, $0
115. NexTable: Credentials exposure to Eternal - 3 upvotes, $0
116. Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE) to Eternal - 3 upvotes, $0
117. Cross Site Scripting - type Patameter to Eternal - 2 upvotes, $0
118. Reflected XSS on Zomato API to Eternal - 2 upvotes, $0
119. CSS to Eternal - 2 upvotes, $0
120. URL is vulnerable to clickjacking to Eternal - 2 upvotes, $0
121. XSS in "explore-keywords-dropdown" results. to Eternal - 2 upvotes, $0
122. Lack of Password Confirmation for Account Deletion to Eternal - 2 upvotes, $0
123. Remote File Upload Vulnerability in business-blog.zomato.com to Eternal - 1 upvotes, $0
124. XSS and CSRF in Zomato Contact form to Eternal - 1 upvotes, $0
125. Persistent XSS on Reservation / Booking Page to Eternal - 1 upvotes, $0
126. Two XSS vulns in widget parameters (all_collections.php and o2.php) to Eternal - 1 upvotes, $0
127. Unvalidated redirect on user profile website to Eternal - 1 upvotes, $0
128. XSS via modified Zomato widget (res_search_widget.php) to Eternal - 0 upvotes, $0