Skip to content

Latest commit

 

History

History
98 lines (94 loc) · 13.3 KB

TOPGITHUBSECURITYLAB.md

File metadata and controls

98 lines (94 loc) · 13.3 KB

Back

Top reports from GitHub Security Lab program at HackerOne:

  1. Java (Maven): Actually fix the use of insecure protocol to download/upload artifacts to GitHub Security Lab - 283 upvotes, $4000
  2. Initial websocket support for Javascript (SockJS) to GitHub Security Lab - 66 upvotes, $1800
  3. Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks to GitHub Security Lab - 58 upvotes, $2300
  4. CodeQL query for finding LDAP Injection (CWE-90) vulnerabilities in Java to GitHub Security Lab - 51 upvotes, $3000
  5. Java/CWE-036: Calling openStream on URLs created from remote source can lead to file disclosure to GitHub Security Lab - 51 upvotes, $1800
  6. [Java] CWE-326: Query to detect weak encryption with an insufficient key size to GitHub Security Lab - 40 upvotes, $4500
  7. [Java] CWE-555: Query to detect password in Java EE configuration files to GitHub Security Lab - 37 upvotes, $1800
  8. Java (Maven): Use of insecure protocol to download/upload artifacts to GitHub Security Lab - 33 upvotes, $2300
  9. Java: Fix NashornScriptEngine detection in ScriptEngine query to GitHub Security Lab - 32 upvotes, $4500
  10. LDAP injection vulnerability in Java to GitHub Security Lab - 29 upvotes, $2500
  11. CodeQL query to detect JNDI injections to GitHub Security Lab - 28 upvotes, $2300
  12. Python : Add query to detect Server Side Template Injection to GitHub Security Lab - 28 upvotes, $2300
  13. CPP: Out of order Linux permission dropping without checking return codes to GitHub Security Lab - 21 upvotes, $1800
  14. Java: Query for detecting JEXL injections to GitHub Security Lab - 20 upvotes, $4500
  15. Java: CWE-939 - Address improper URL authorization to GitHub Security Lab - 17 upvotes, $1500
  16. [javascript] CWE-020: CodeQL query to detect missing origin validation in cross-origin communication via postMessage to GitHub Security Lab - 16 upvotes, $1800
  17. [Java] CWE-755: Query to detect Local Android DoS caused by NFE to GitHub Security Lab - 15 upvotes, $1800
  18. Java: Query for detecting unsafe deserialization with Spring exporters to GitHub Security Lab - 14 upvotes, $4500
  19. Netty HTTP Response Splitting (CRLF Injection) due to disabled header validation to GitHub Security Lab - 14 upvotes, $1500
  20. CPP: Out of order Linux permission dropping without checking return codes to GitHub Security Lab - 14 upvotes, $1500
  21. CodeQL query for SpEL injections to GitHub Security Lab - 13 upvotes, $2300
  22. Java : CWE-548 - J2EE server directory listing enabled to GitHub Security Lab - 13 upvotes, $1800
  23. [Java] CWE-939 - Address improper URL authorization to GitHub Security Lab - 11 upvotes, $1800
  24. gagliardetto: Query to detect incorrect conversion between numeric types to GitHub Security Lab - 11 upvotes, $1800
  25. Golang : Improvements to Golang SSRF query to GitHub Security Lab - 11 upvotes, $1800
  26. Java: CWE-532 sensitive info logging to GitHub Security Lab - 11 upvotes, $500
  27. Golang : Add Email Content Injection query to GitHub Security Lab - 10 upvotes, $2300
  28. Java: CWE-600 Uncaught servlet exception to GitHub Security Lab - 10 upvotes, $1800
  29. Java: CWE-798 - Hardcoded AWS credentials to GitHub Security Lab - 10 upvotes, $1000
  30. [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences to GitHub Security Lab - 9 upvotes, $4500
  31. Java: CWE-522 Insecure basic authentication to GitHub Security Lab - 9 upvotes, $2300
  32. [Java] CWE-598: Use of GET Request Method with Sensitive Query Strings to GitHub Security Lab - 9 upvotes, $1800
  33. CodeQL query to detect insecure MaxLengthRequest values in ASP.NET applications to GitHub Security Lab - 9 upvotes, $1000
  34. CodeQL query to detect Server-Side Template Injections (JavaScript) to GitHub Security Lab - 8 upvotes, $2300
  35. CodeQL query to detect open Spring Boot actuator endpoints to GitHub Security Lab - 8 upvotes, $1800
  36. Java: CWE-297 Insecure JavaMail SSL configuration to GitHub Security Lab - 8 upvotes, $1800
  37. [Java] CWE-327: Add more broken crypto algorithms to GitHub Security Lab - 8 upvotes, $1800
  38. CodeQL query for unsafe TLS versions to GitHub Security Lab - 7 upvotes, $1800
  39. Java: CWE-273 Unsafe certificate trust to GitHub Security Lab - 7 upvotes, $1800
  40. Java: Detect remote source from Android intent extra to GitHub Security Lab - 7 upvotes, $1800
  41. [Java] CWE-297: Insecure LDAP endpoint configuration to GitHub Security Lab - 7 upvotes, $1800
  42. [codeql-go]: Add query to find use of constant state parameter in Oauth2 flow to GitHub Security Lab - 6 upvotes, $4500
  43. ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strlen. to GitHub Security Lab - 6 upvotes, $1000
  44. codeql-go: Expand Go standard library taint-tracking models to 63 packages, 554 models and 733 tests (from ~13 packages, ~103 models, ~50 tests) to GitHub Security Lab - 5 upvotes, $6000
  45. [Java] CWE-927: Sensitive broadcast to GitHub Security Lab - 5 upvotes, $1800
  46. CPP: CWE-191 into experimental this reveals a dangerous comparison to GitHub Security Lab - 5 upvotes, $1800
  47. [Java] CWE-489: Query to detect main() method in Java EE applications to GitHub Security Lab - 5 upvotes, $1800
  48. Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET to GitHub Security Lab - 5 upvotes, $1000
  49. CodeQL query to detect pages with validationRequest disabled to GitHub Security Lab - 5 upvotes, $1000
  50. CodeQL query for finding ReDoS and Regex Injection vulnerabilities in Java to GitHub Security Lab - 5 upvotes, $1000
  51. ihsinme: CPP Add query for CWE-14 compiler removal of code to clear buffers. to GitHub Security Lab - 5 upvotes, $1000
  52. ihsinme: CPP add query for: CPP Add query for CWE-20 Improper Input Validation to GitHub Security Lab - 5 upvotes, $1000
  53. CodeQL query to detect weak (duplicated) encryption keys for ASP.NET Telerik Upload to GitHub Security Lab - 5 upvotes, $500
  54. Dynamic reflection class to GitHub Security Lab - 5 upvotes, $200
  55. CodeQL query for MVEL injections to GitHub Security Lab - 4 upvotes, $2300
  56. CodeQL query for finding CSRF vulnerabilities in Spring applications to GitHub Security Lab - 4 upvotes, $1800
  57. Java: Add SSRF query for Java to GitHub Security Lab - 4 upvotes, $1800
  58. [JavaScript]: add query for Express-HBS LFR to GitHub Security Lab - 4 upvotes, $1800
  59. Java: CWE-346 Queries to detect remote source flow to CORS Headers to GitHub Security Lab - 4 upvotes, $1800
  60. Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') to GitHub Security Lab - 4 upvotes, $1800
  61. Java : Add query for detecting Log Injection vulenrabilities to GitHub Security Lab - 4 upvotes, $1080
  62. Java : Add query for detecting Log Injection vulenrabilities to GitHub Security Lab - 4 upvotes, $720
  63. [Java]: CWE-523 Insecure HSTS configuration to GitHub Security Lab - 4 upvotes, $250
  64. Go/CWE-643: XPath Injection Query in Go to GitHub Security Lab - 4 upvotes, $0
  65. CPP: Missing/incomplete TLS server certificate hostname validation to GitHub Security Lab - 4 upvotes, $0
  66. [javascript] CWE-90: CodeQL to detect LDAP Injection to GitHub Security Lab - 3 upvotes, $4500
  67. XPath Injection query in java to GitHub Security Lab - 3 upvotes, $1800
  68. CodeQL query for disabled revocation checking to GitHub Security Lab - 3 upvotes, $1800
  69. [javascript] CWE-117: CodeQL query to detect Log Injection to GitHub Security Lab - 3 upvotes, $1800
  70. Golang : Add MongoDb NoSQL injection sinks to GitHub Security Lab - 3 upvotes, $1800
  71. [Java] CWE-522: Insecure LDAP authentication to GitHub Security Lab - 3 upvotes, $1800
  72. Java : Add query to detect Apache Struts enabled Development mode to GitHub Security Lab - 3 upvotes, $1800
  73. Java : add MongoDB injection sinks to GitHub Security Lab - 3 upvotes, $1000
  74. CodeQL query to detect OGNL injections to GitHub Security Lab - 2 upvotes, $2300
  75. Query to find TLS configurations supporting hardcoded insecure versions of the protocol and cipher suites to GitHub Security Lab - 2 upvotes, $2300
  76. CWE-094 ScriptEngine in java to GitHub Security Lab - 2 upvotes, $1800
  77. ihsinme: CPP Add query for CWE-401 memory leak on unsuccessful call to realloc function to GitHub Security Lab - 2 upvotes, $1800
  78. [golang] Division by zero query to GitHub Security Lab - 2 upvotes, $1800
  79. ihsinme: CPP add query for CWE-788 Access of memory location after the end of a buffer using strncat. to GitHub Security Lab - 2 upvotes, $1800
  80. Java : Add a query to detect Spring View Manipulation Vulnerability to GitHub Security Lab - 2 upvotes, $1800
  81. [Java] CWE-295: Disabled certificate validation in JXBrowser to GitHub Security Lab - 2 upvotes, $0
  82. [CATENACYBER]: [CPP] CWE-476 Null Pointer Dereference : Another query to either missing or redundant NULL check to GitHub Security Lab - 1 upvotes, $1800
  83. CodeQL query to detect XSLT injections to GitHub Security Lab - 1 upvotes, $1800
  84. Java: QL Query Detector for JHipster Generated CVE-2019-16303 to GitHub Security Lab - 1 upvotes, $1800
  85. [javascript] CWE-614: CodeQL query to detect if cookies are sent without the flag secure being set to GitHub Security Lab - 1 upvotes, $1800
  86. Java : add fastjson detection. Improve RemoteFlowSource class, support SpringMvc to GitHub Security Lab - 1 upvotes, $1800
  87. 3,880 Pull Requests Generated to fix JHipster RNG Vulnerability CVE-2019-16303 to GitHub Security Lab - 1 upvotes, $1500
  88. CodeQL query to detect SSRF in Python to GitHub Security Lab - 1 upvotes, $500
  89. Java: CWE-918 - Server Side Request Forgery (SSRF) to GitHub Security Lab - 1 upvotes, $250
  90. Add check for disabled HTTPOnly setting in Tomcat to GitHub Security Lab - 1 upvotes, $250
  91. [Java] CWE-295 - Incorrect Hostname Verification - MitM to GitHub Security Lab - 1 upvotes, $0

Back