Kamil Vavra | @vavkamil

Offensive website security | Bug bounty | Ethical hacking

🕵️Whoami 💰Bug bounty 📖Blog 💻Tools 📢Talks 🏆LinkedIn 📩Contact

Bug bounty

HackerOne

Higlights

Bugcrowd

Higlights

Write-ups & disclosed reports

Responsible disclosure

Website Company Vulnerability Details Reward References
Airbank.cz Siteone s.r.o. XSS Reflected Dom XSS via POST request Yes security.txt
Subreg.cz Gransy s.r.o. XSS Multiple Reflected & Dom based XSS Yes  
Airbank.cz Siteone s.r.o. Unrestricted file upload Insecure API end-point allowing to upload any file Yes security.txt
Active24.cz ACTIVE 24, s.r.o. XSS Dom based XSS in domain search No security.txt
Prospanek.cz SmartBase XSS Reflected XSS in search No  
Damejidlo.cz damejidlo.cz s.r.o. XSS Reflected XSS in restaurants archive Yes  
Gopay.com GOPAY s.r.o. XSS Stored XSS in WordPress (CVE-2019-11869) No security.txt
Trezor.io SatoshiLabs s.r.o. Domain takeover Disclosure of user IPs via debug MessageEvent Yes Leaderboard
Rohlik.cz Velká Pecka s.r.o. Improper Access Control Access to Google calendar revealing sensitive info No security.txt
o2.cz O2 Czech Republic a.s. Multiple IDORs Disclosure of invoices and PII via android app API No Write-up
Idos.cz MAFRA, a. s. Multiple XSS, Arbitrary File Download Source-code disclosure No  
Socialnisystem.cz Česká pirátská strana Reflected XSS Found via source code review No GitHub issue
Eshop.upc.cz UPC Česká republika, s.r.o. Reflected XSS Unvalidated redirect No  
Cd.cz Ceske drahy, a.s. Personal information leak Misconfigured API (PII in JavaScript, CORS) Yes  
CSFD.cz POMO Media Group s.r.o. XSS, IDOR, account takeover Multiple vulnerabilities reported via bug bounty Yes Hall of Fame
T-mobile.cz T-Mobile Czech Republic a.s. CSRF, Multiple XSS, … Multiple vulnerabilities reported via bug bounty Yes Hall of Fame
Zive.cz CZECH NEWS CENTER a. s. XSS Multiple XSS vulnerabilities No security.txt
Mall.cz Internet Mall, a.s. XSS XSS in Angular Template Yes Hacktrophy
Fler.cz Fler s.r.o. CORS misconfiguration Disclosure of PII via JavaScript exploit No  
Alza.cz Alza.cz, a.s. XSS XSS filter bypass No security.txt
Heureka.cz Heureka Group a.s. XSS Multiple XSS vulnerabilities No security.txt
Drmax.cz Dr. Max BDC, s.r.o. CORS misconfiguration Disclosure of PII via JavaScript exploit No  
Email.cz Seznam.cz, a.s. Account takeover XSS -> CSP bypass -> CSRF -> account takeover No  
Tele3.cz TELE3 s.r.o. SQLi Blind based SQL Injection Yes  
Daybyme.com DayByMe s.r.o. CSRF, IDOR Stored XSS with significant impact Yes Hacktrophy
Tsbohemia.cz T.S.BOHEMIA a.s. XSS Dom based XSS in search function No  

Content on this site is licensed under a Creative Commons Attribution 4.0 International License
🄯 2019‐2020 - @vavkamil - Open-source Github pages - Powered by Jekyll & The Hacker theme - Subscribe via RSS