TOPZOMATO.md

Top reports from Zomato program at HackerOne:

1. Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com to Zomato - 545 upvotes, $0
2. [www.zomato.com] SQLi - /php/██████████ - item_id to Zomato - 305 upvotes, $4500
3. Improper Validation at Partners Login to Zomato - 238 upvotes, $2000
4. [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s) to Zomato - 221 upvotes, $0
5. [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information to Zomato - 216 upvotes, $550
6. SQL Injection in www.hyperpure.com to Zomato - 214 upvotes, $2000
7. [www.zomato.com] Blind XSS on one of the Admin Dashboard to Zomato - 214 upvotes, $750
8. Information Disclosure through Sentry Instance ███████ to Zomato - 171 upvotes, $750
9. Solr Injection in user_id parameter at :/v2/leaderboard_v2.json to Zomato - 132 upvotes, $2000
10. [api.zomato.com] Able to manipulate order amount to Zomato - 131 upvotes, $0
11. Able to manipulate order amount by removing cancellation amount and cause financial impact to Zomato - 124 upvotes, $0
12. Add upto 10K rupees to a wallet by paying an arbitrary amount to Zomato - 113 upvotes, $2000
13. [Zomato Order] Insecure deeplink leads to sensitive information disclosure to Zomato - 107 upvotes, $750
14. Availing Zomato gold by using a random third-party wallet_id to Zomato - 104 upvotes, $2000
15. [www.zomato.com] Leaking Email Addresses of merchants via reset password feature to Zomato - 104 upvotes, $0
16. Login to any account with the emailaddress to Zomato - 98 upvotes, $1000
17. Base alpha version code exposure to Zomato - 98 upvotes, $0
18. [www.zomato.com] Blind XSS in one of the admin dashboard to Zomato - 97 upvotes, $500
19. Claiming the listing of a non-delivery restaurant through OTP manipulation to Zomato - 91 upvotes, $3250
20. Subdomain takeover of fr1.vpn.zomans.com to Zomato - 91 upvotes, $350
21. credentials leakage in public lead to view dev websites to Zomato - 75 upvotes, $0
22. [www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss to Zomato - 68 upvotes, $0
23. [https://reviews.zomato.com] Time Based SQL Injection to Zomato - 67 upvotes, $1000
24. [Zomato Android/iOS] Theft of user session to Zomato - 63 upvotes, $0
25. [www.zomato.com] Blind SQL Injection in /php/geto2banner to Zomato - 60 upvotes, $2000
26. [www.zomato.com] SQLi on order_id parameter to Zomato - 60 upvotes, $1000
27. [www.zomato.com] Blind XSS in one of the Admin Dashboard to Zomato - 60 upvotes, $0
28. [www.zomato.com] Union SQLi + Waf Bypass to Zomato - 58 upvotes, $1000
29. subdomain takeover on fddkim.zomato.com to Zomato - 56 upvotes, $0
30. IDOR to delete images from other stores to Zomato - 50 upvotes, $600
31. Open AWS S3 bucket leaks all Images uploaded to Zomato chat to Zomato - 50 upvotes, $0
32. [Zomato for Business Android] Vulnerability in exported activity WebView to Zomato - 50 upvotes, $0
33. Page has a link to google drive which has logos and a few customer phone recordings to Zomato - 47 upvotes, $200
34. [www.zomato.com] Blind SQL Injection in /php/widgets_handler.php to Zomato - 46 upvotes, $2000
35. [auth2.zomato.com] Reflected XSS at oauth2/fallbacks/error | ORY Hydra an OAuth 2.0 and OpenID Connect Provider to Zomato - 46 upvotes, $0
36. Race condition in User comments Likes to Zomato - 41 upvotes, $0
37. [www.zomato.com] Boolean SQLi - /█████.php to Zomato - 40 upvotes, $1000
38. Blind XSS - Report review - Admin panel to Zomato - 39 upvotes, $350
39. [www.zomato.com] Boolean SQLi - /███████.php to Zomato - 35 upvotes, $1000
40. [www.zomato.com/dubai/gold] CRITICAL - Allowing arbitrary amount to become a GOLD Member to Zomato - 33 upvotes, $0
41. Self-Stored XSS - Chained with login/logout CSRF to Zomato - 31 upvotes, $300
42. SSRF in https://www.zomato.com████ allows reading local files and website source code to Zomato - 31 upvotes, $0
43. Unauthorised Access to Anyone's User Account to Zomato - 30 upvotes, $0
44. IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid to Zomato - 29 upvotes, $250
45. [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint to Zomato - 29 upvotes, $0
46. Admin Access to a domain used for development and admin access to internal dashboards on that domain to Zomato - 29 upvotes, $0
47. CORS Misconfiguration on www.zomato.com to Zomato - 28 upvotes, $0
48. [█████████] Hardcoded credentials in Android App to Zomato - 27 upvotes, $500
49. Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification to Zomato - 27 upvotes, $300
50. [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php to Zomato - 25 upvotes, $200
51. HTML injection leads to reflected XSS to Zomato - 24 upvotes, $150
52. Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone to Zomato - 23 upvotes, $1500
53. Reflected XSS on developers.zomato.com to Zomato - 23 upvotes, $100
54. [www.zomato.com] Abusing LocalParams to Inject Code through ███████ query to Zomato - 23 upvotes, $0
55. Length extension attack leading to HTML injection to Zomato - 21 upvotes, $100
56. Use any User to Follow you (Increase Followers) [IDOR] to Zomato - 21 upvotes, $50
57. SQL Injection, exploitable in boolean mode to Zomato - 20 upvotes, $0
58. [www.zomato.com] Unauthenticated access to Internal Sales Data of Zomato through an unrestricted endpoint to Zomato - 20 upvotes, $0
59. Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day to Zomato - 20 upvotes, $0
60. Ability to manipulate price with a max threshold of \<1 Rupee in support rider parameter to Zomato - 20 upvotes, $0
61. [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php to Zomato - 18 upvotes, $300
62. Free food bug done by burp suite to Zomato - 17 upvotes, $0
63. [www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users to Zomato - 16 upvotes, $100
64. Amazon S3 bucket misconfiguration (share) to Zomato - 16 upvotes, $0
65. [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato to Zomato - 16 upvotes, $0
66. Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService to Zomato - 15 upvotes, $300
67. HTML Injection @ /[restaurant]/order endpoint. to Zomato - 15 upvotes, $150
68. Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI) to Zomato - 15 upvotes, $0
69. takeover a lot of accounts to Zomato - 15 upvotes, $0
70. Restaurant payment information leakage to Zomato - 15 upvotes, $0
71. User Profiles Leak PII in HTML Document for Mobile Browser User Agents to Zomato - 15 upvotes, $0
72. Posting to Twitter CSRF on php/post_twitter_authenticate.php to Zomato - 14 upvotes, $50
73. test.zba.se is vulnerable to SSL POODLE to Zomato - 14 upvotes, $0
74. Reflected XSS on https://www.zomato.com to Zomato - 14 upvotes, $0
75. Zomato.com Reflected Cross Site Scripting to Zomato - 13 upvotes, $100
76. [www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at clients/promoDataHandler.php to Zomato - 13 upvotes, $0
77. Bypass OTP verification when placing Order to Zomato - 11 upvotes, $0
78. Bypass OTP verification when placing Order to Zomato - 11 upvotes, $0
79. Unauthorized update of merchants' information via /php/merchant_details.php to Zomato - 11 upvotes, $0
80. [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 to Zomato - 11 upvotes, $0
81. Sending Unlimited Emails to anyone from zomato mail server. to Zomato - 11 upvotes, $0
82. Visibility Robots.txt file to Zomato - 10 upvotes, $0
83. Potential server misconfiguration leads to disclosure of vendor/ directory to Zomato - 10 upvotes, $0
84. Open Redirect On Your Login Panel to Zomato - 10 upvotes, $0
85. The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. to Zomato - 10 upvotes, $0
86. [www.zomato.com] Abusing LocalParams (city) to Inject SOLR query to Zomato - 9 upvotes, $100
87. XSS onmouseover to Zomato - 9 upvotes, $0
88. Twitter Disconnect CSRF to Zomato - 9 upvotes, $0
89. Reflected XSS on business-blog.zomato.com - Part I to Zomato - 9 upvotes, $0
90. Zomato Map server going out of memory while resizing map image to Zomato - 9 upvotes, $0
91. Mathematical error found in meals for one to Zomato - 9 upvotes, $0
92. CSRF in the "Add restaurant picture" function to Zomato - 8 upvotes, $50
93. Stored Cross site scripting to Zomato - 8 upvotes, $0
94. Bypassing the SMS sending limit for download app link. to Zomato - 7 upvotes, $0
95. [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query to Zomato - 6 upvotes, $150
96. Reflected XSS in Zomato Mobile - category parameter to Zomato - 6 upvotes, $0
97. IDOR in treat subscriptions to Zomato - 6 upvotes, $0
98. [www.zomato.com] Getting a complimentary dessert [Zomato Treats] on ordering a Meal at no cost to Zomato - 6 upvotes, $0
99. Several XSS affecting Zomato.com and developers.zomato.com to Zomato - 5 upvotes, $0
100. CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER to Zomato - 5 upvotes, $0
101. Reflected XSS on business-blog.zomato.com - Part 2 to Zomato - 5 upvotes, $0
102. CSRF To Like/Unlike Photos to Zomato - 5 upvotes, $0
103. Outdated MediaElement.js Reflected Cross-Site Scripting (XSS) to Zomato - 5 upvotes, $0
104. Subdomain Takeover to Zomato - 4 upvotes, $0
105. CSRF AT SELECTING ZAMATO HANDLE to Zomato - 4 upvotes, $0
106. Persistent input validation mail encoding vulnerability in the "just followed you" email notification. to Zomato - 4 upvotes, $0
107. Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay to Zomato - 4 upvotes, $0
108. MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) to Zomato - 4 upvotes, $0
109. XSS in flashmediaelement.swf (business-blog.zomato.com) to Zomato - 4 upvotes, $0
110. xss found in zomato to Zomato - 4 upvotes, $0
111. XSS on zomato.com to Zomato - 3 upvotes, $0
112. Clickjacking login page of http://book.zomato.com/ to Zomato - 3 upvotes, $0
113. NexTable: Credentials exposure to Zomato - 3 upvotes, $0
114. Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE) to Zomato - 3 upvotes, $0
115. Weak Password Policy to Zomato - 2 upvotes, $0
116. Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow to Zomato - 2 upvotes, $0
117. CSS to Zomato - 2 upvotes, $0
118. URL is vulnerable to clickjacking to Zomato - 2 upvotes, $0
119. XSS in "explore-keywords-dropdown" results. to Zomato - 2 upvotes, $0
120. Cross Site Scripting - type Patameter to Zomato - 1 upvotes, $0
121. Remote File Upload Vulnerability in business-blog.zomato.com to Zomato - 1 upvotes, $0
122. XSS and CSRF in Zomato Contact form to Zomato - 1 upvotes, $0
123. Reflected XSS on Zomato API to Zomato - 1 upvotes, $0
124. Persistent XSS on Reservation / Booking Page to Zomato - 1 upvotes, $0
125. Two XSS vulns in widget parameters (all_collections.php and o2.php) to Zomato - 1 upvotes, $0
126. Unvalidated redirect on user profile website to Zomato - 1 upvotes, $0
127. Lack of Password Confirmation for Account Deletion to Zomato - 1 upvotes, $0
128. XSS via modified Zomato widget (res_search_widget.php) to Zomato - 0 upvotes, $0