Security vulnerabilities

This is the security vulnerability reporting site for alwaysdata. Please make sure you read our bug bounty program before registering and creating a new task to submit a vulnerability you've discovered.

ID Summary  desc Status Date closed
 2  XSS Vulnerability in [] Support Tic ...Closed12.01.2024 Task Description

XSS Vulnerability in [] Support Ticket System

Vulnerability Report
Greeting: Dear Team

I'm writing to report a critical Reflected Cross-Site Scripting (XSS) vulnerability discovered in your [] application. This vulnerability allows attackers to inject malicious JavaScript into the application, potentially compromising user accounts and sensitive data.

PoC: By sending a specially crafted request containing the payload redhet"'><script>prompt(document.domain)</script> through the add_participants parameter in the support ticket creation form, we can trigger the XSS vulnerability and execute arbitrary JavaScript in the victim's browser.


A reflected XSS vulnerability has been identified in the "add_participants" parameter of the support ticket creation form on This vulnerability allows attackers to inject malicious JavaScript code that will be executed in the victim's browser when they view a vulnerable page.

Vulnerability Details:

Type: Reflected XSS (OWASP A4)

Exploit: Injecting malicious JavaScript through a vulnerable request parameter

Vulnerable URL:

Vulnerable Request: POST /support/add/

Vulnerable Endpoints: The add_participants parameter in the support ticket creation form

Payload: redhet"'><script>prompt(document.domain)</script>

This parameter is used to add participants to a support ticket, but it is not properly sanitized, allowing attackers to inject arbitrary code that will be executed in the browser of any user who views the vulnerable ticket.

## Impact Assessment

1. Impact one: Information Disclosure: The attacker can steal sensitive user information, such as cookies or session IDs, by executing malicious JavaScript within the victim's browser.

2. Impact two: Account Takeover: The attacker could potentially hijack user accounts by tricking them into executing malicious code that grants unauthorized access.

3. Impact three: Defacement: The attacker could manipulate the content displayed on the application by injecting malicious JavaScript that alters the user interface.

## Recommendations

1. Step one: Immediately sanitize all user input: Implement strict input validation and sanitization procedures to prevent the injection of malicious code. This includes escaping special characters and enforcing a Content Security Policy (CSP).

2. Step Two: Patch vulnerable software: Update all relevant software to the latest versions to address known vulnerabilities.

3. Step three: Consider additional security measures: Implement a web application firewall (WAF) to further protect against XSS attacks.

4. Step four:Regularly scan for vulnerabilities: Conduct regular penetration testing and vulnerability scans to identify and address potential security issues.


Execution of arbitrary JavaScript code in the victim's browser
Potential for session hijacking, credential theft, or other attacks

## Steps to Reproduce

1. Step one: Access the support ticket creation form at

2. Step two: Enter the following payload in the "add_participants" field: redhet"'><script>prompt(document.domain)</script>

3. Step three: Submit the form.

4. Final step: Observe that the JavaScript code is executed, displaying a prompt with the domain name. (cookies)

PoC Video: [Link to video demonstrating the vulnerability]**

## References

[OWASP XSS Prevention Cheat Sheet]: (

[OWASP XSS Testing Guide]: (

I hope you will give me a good answer!!

If you have any questions, feel free to ask them ;)

Thank You,


 22  Vulnerability Report: Unverified Email Registration on  ...Closed31.01.2024 Task Description

I am writing to report a security vulnerability that I discovered on the platform regarding unverified email registration. This vulnerability allows users to create new accounts without verifying their email addresses, posing a significant risk to the security and integrity of the platform and its users.

Below are the details of the vulnerability along with steps to reproduce, its impact, severity, and proposed solution:

Vulnerability Details:

Vulnerability Type: Unverified Email Registration
Website: Steps to Reproduce:

Visit the website.
Navigate to the account registration page.
Enter any email address (valid or invalid) without going through email verification.
Complete the registration process without receiving or verifying any email confirmation.

Account Takeover: Malicious actors can create accounts using others' email addresses and gain unauthorized access to their accounts or personal information.
Spam and Abuse: Unverified accounts can be used to send spam, phishing emails, or engage in other abusive activities on the platform.
Impersonation: Attackers can impersonate legitimate users or organizations by creating accounts with their email addresses.

Proposed Solution:
To mitigate this vulnerability, I recommend implementing email verification as a mandatory step during the registration process. This would involve sending a verification email with a unique code or link that users must confirm before their accounts are activated.

Additionally, consider implementing rate limiting or other measures to prevent abuse of the registration process and ensure that users' accounts and data are protected from unauthorized access and misuse.

I believe that addressing this vulnerability promptly will help enhance the security and trustworthiness of the platform and protect its users from potential harm.

Please let me know if you require any further information or assistance in resolving this issue. I am committed to assisting you in any way possible to ensure the security of the platform and its users.

Thank you for your attention to this matter, and I look forward to your prompt response.

 49  Vulnerability Report: Lack of Rate Limiting on Password ...Closed24.04.2024 Task Description

The website does not implement rate limiting on password reset links, allowing an attacker to repeatedly request password reset links for any account. This could lead to account takeover through brute-force attacks.

Description When an attacker gains access to a target account's email address, they can repeatedly request password reset links without any rate limiting in place. This allows them to flood the target's email inbox with reset links, making it difficult for the legitimate user to identify and use the valid reset link. Additionally, the attacker can automate this process, increasing the efficiency of the attack.

Impact Account Takeover: Attackers can potentially take over user accounts by flooding their email inbox with reset links, making it easier to intercept a valid reset link and gain unauthorized access.
User Disruption: The flood of reset links can disrupt the user's ability to use their email normally, causing inconvenience and potential confusion.

Recommendations Implement rate limiting on password reset requests to prevent brute-force attacks.
Limit the number of password reset links that can be requested per minute per IP address or account.
Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.

Steps to Reproduce 1- Go To This Link Enter your Email Click On Forget Password
2- intercept burp and send request to intruder
3- make payload and start attack

Supporting Material/References

OWASP Password Reset Best Practices

Impact Account Takeover
User Disruption

Proof of Concept N/A (Describe how you were able to successfully exploit the vulnerability.)

Implement rate limiting on password reset requests to prevent brute-force attacks. Limit the number of password reset links that can be requested per minute per IP address or account. Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.

Supporting Material/References
OWASP Password Reset Best Practices

Impact Account Takeover
User Disruption


POST /password/lost/ HTTP/2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Origin: Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers



 19  User Enumeration Through Forgot Password Vulnerability Closed29.01.2024 Task Description

The application's "Forgot Password" feature allows user enumeration. This is because the application responds with a different message depending on whether the submitted email address is registered or not.

steps to Reproduce:

Access the "Forgot Password" page.
Enter a random, non-registered email address.
Submit the request.
Observe the response message:

  the message states "There is no account with this email address," which means that user enumeration is possible.
 An attacker could exploit this vulnerability to:

Gather a list of valid user email addresses.
Launch targeted phishing attacks.
Use the information to attempt password guessing or brute force attacks

Implement Generic Response: The application should provide the same response message regardless of whether the email address is registered or not. This prevents attackers from differentiating between valid and invalid accounts.

Additional Notes:

i am aware that this bug is not eligible for a bounty but wanted to bring it to the team's attention.

Best Wishes -Basil

 29  URL Override in Closed16.02.2024 Task Description


I discovered a potential vulnerability in that could allow an attacker to override URLs by manipulating the X-Forwarded-Host header. This issue could potentially lead to unintended redirections or access to restricted resources.


To demonstrate this vulnerability, we can use a simple HTTP request with a modified X-Forwarded-Host header. Replay the following request;

GET /v1/ssh/doc/ HTTP/1.1
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Connection: close
Cache-Control: max-age=0
Cookie: flyspray=ef2b9025azb8fd028bf6


Blocking or filtering out the X-Forwarded-Host header entirely and relying on other methods to determine the original domain (e.g., using the Host header or server logs).

 37  unverified password change in [] Closed27.03.2024 Task Description

unverified password change in []

Hello team!

I have found an interesting flaw where an attacker can change the account password without knowing the old password

When the user requests a password reset link, it accesses the activity log inside the account and this bug can be exploited by an attacker

Steps to reproduce the bug :

1-Create a new account on []
2-log in to your account
3-request the password reset link from another browser
4-you will notice that the password reset link you requested has arrived in the activity log

Impact :
If the attacker hijacks the session or gains access to the user account, he can request a password reset link and the link will reach him in the Account Activity Log, from which he can reset the account password without knowing the old password

34Unvalidated Input vulnerability in Class_Join feature a...Assigned Task Description


An unvalidated input vulnerability has been identified in the class joining process of the platform. By fuzzing the teacher ID parameter in the class_join URL, an attacker can potentially join any class without proper authorization. This issue poses a significant security risk and may lead to unauthorized access to sensitive information and class benefits.


The potential impact includes:

a) Unauthorized access to sensitive class information
b) Compromised data privacy for both students and instructors.


To reproduce the vulnerability, follow these steps:

1) First, we log in a test account. Next, we replay this invite URL I got from an actual tutor invite, but now we manipulate the teacher ID value to grant us unvalidated access to certain classes.
This is the invite URL:<TEACHER_ID>

2) Fuzz different values for the ID parameter to find classes that can be accessed without proper authorization. A bit flipper attack would provide the best results.

3) Upon finding a class with a vulnerable ID, join the class by providing the manipulated URL to the unauthorized user.


1) Implement proper input validation and sanitization for the class ID parameter to ensure that only authorized users can join classes. This can be done by assigning a temporary validation token per class_join request.

2) In the absence of token validation, the teacher_id could be encrypted to a longer, more obfuscated value to reduce predictability.

POC || Bit Flipper Video:

 20  Unauthorized Access to Over 6000+ Valid User Credential ...Closed30.01.2024 Task Description

I have identified a Credential Dump that allows unauthorized access to over 6000+ valid user credentials of This discovery was made in accordance with the Alwaysdata Bug Bounty Program guidelines. I am reporting this issue to ensure the security and privacy of Alwaysdata's users and to assist in prompt remediation.

Sensitive Data at Risk:

The data exposure includes, but is not limited to, vendor and client details, Personally Identifiable Information (PII), Social Security Numbers, medical and financial records, and crucial authentication credentials.


If exploited by a malicious actor, this vulnerability could lead to:

-Unauthorized access to user accounts.
-Potential compromise of sensitive personal and financial data.
-Secondary attacks using the obtained credentials (credential stuffing, phishing, etc.).
-Damage to the reputation and trustworthiness of the Alwaysdata platform.

Given the scale of the data exposure (6000+ user credentials), the impact is considered highly critical.

Steps to Reproduce :

To access and reproduce the findings related to the data leak, please follow this link: It is important to note that an Academia account is required to view the full extent of the data dump. This platform was where I initially discovered the leak of valid credentials.

For your convenience,I've completed the data compilation myself and attached screenshots that capture key aspects of the data leak. Please find below,The attached document containing direct links to the accounts, along with their corresponding emails and passwords. This information was extracted through a manual process, and I've managed to identify at least 30 potential accounts, reviewing their Personally Identifiable Information (PII) among other data.These images should provide a clearer understanding of the issue and assist in verifying the vulnerability.

Proof of Concept
I have attached POC for your reference.I was only able to attach 5 files. If possible,kindly guide me so I can attach more POC's

Remediation Suggestions

To address this vulnerability, I suggest the following immediate and long-term remediation steps:
Revoking current exposed credentials and enforcing a password reset for affected users.
Implementing stricter access controls and regular security audits to prevent similar vulnerabilities.

Confidentiality Agreement

I understand the sensitive nature of this report and agree to keep the details confidential until Alwaysdata has resolved the issue and agreed to disclosure, as per the bug bounty program's guidelines.

I look forward to your prompt response and am willing to provide any further information required for the resolution of this issue.Though the leaked credentials might originate from another application or service,they are your Users and I believe,it is your call to protect the privacy and data of your users.I would greatly appreciate your team's consideration of rewarding this finding, even if it falls outside the typical scope of your program. Thank you for your commitment to security and the opportunity to contribute to the safety of the Alwaysdata platform.

Would really appreciate if you could revert on my Email (
Thanks and Regards.

 16  Unauthenticated-Video conferencing on " ...Closed18.01.2024 Task Description

Description: while Enumerating subdomains of,
I Found a subdomain open hosting video conferencing for all.

Steps to reproduce: 1.visit the site :""
2.create a video conferencing :"malicious.conferencing"
3.Now anyone can join the video call with the link provided by the attacker.

This could lead to potential damage to the Alwaysdata if the attacker intends to exploit this in a malicious way.
as this is open for any users on the web.

Impact: 1.Unauthorized Access:

Vulnerability: If the video conferencing system is not properly secured, it may be susceptible to unauthorized access.
Impact: Unauthorized individuals could join sensitive meetings, leading to the potential exposure of confidential information.

2.Phishing Attacks:
Vulnerability: Attackers may exploit the subdomain for phishing attacks, tricking users into providing sensitive information.
Impact: This could lead to the compromise of user credentials or the installation of malware on participants' devices.
3.Data Storage Security:

Vulnerability: Inadequate security measures for storing recorded video conference sessions.
Impact: Stored data may be at risk of unauthorized access, leading to the exposure of sensitive information.


Mitigation: To mitigate these risks, Alwaysdata should implement strong authentication, encrypt communication channels.

 25  Title: Security Report: Public Exposure of Sensitive In ...Closed04.02.2024 Task Description

Title: Security Report: Public Exposure of Sensitive Information

The purpose of this report is to highlight a critical security issue involving the public exposure of sensitive information on the website The exposed data includes details about supervisors, the number of reports they have sorted, and some reports that remain unprocessed and may contain sensitive information and unpatched vulnerabilities.

Exposure of Supervisor Information:
The website hosts a page that displays information about all users, including supervisors. The URL format for accessing supervisor information is By manipulating the numeric value in the URL, it is evident that any user can access information about all users and supervisors on the site. This unrestricted access poses a significant security risk as it allows unauthorized individuals to view sensitive user data, potentially compromising the privacy and security of the users and the platform as a whole.

Unsecured Reports:
Furthermore, the website contains reports that are in an unprocessed state and have not been closed. These reports are accessible to the public through the URL format The presence of such reports in an open state poses a severe security threat as they may contain sensitive information that should not be shared with regular users. Additionally, these reports may reveal unpatched vulnerabilities in the platform, further increasing the risk of exploitation by malicious actors.

1. Immediate Restriction of Access: It is imperative to implement access controls to restrict public access to supervisor information and unprocessed reports. Access should be limited to authorized personnel with appropriate privileges.

2. Review and Remediation: All unprocessed reports should be reviewed to identify and address any sensitive information or vulnerabilities they may contain. Once remediated, these reports should be appropriately secured and closed.

3. Security Awareness Training: Conduct security awareness training for all personnel involved in managing and maintaining the website. Emphasize the importance of safeguarding sensitive data and the potential consequences of data exposure.

4. Regular Security Audits: Implement regular security audits to identify and address any potential security loopholes, including unauthorized access to sensitive information and unsecured reports.

The public exposure of supervisor information and unsecured reports on poses a significant security risk, potentially compromising user privacy and platform integrity. Immediate action is necessary to address these vulnerabilities and ensure the confidentiality and security of user data. Failure to mitigate these risks could lead to severe repercussions for the organization and its users.

 28  Summary: A username disclosure vulnerability has been i ...Closed13.02.2024 Task Description

Details: Upon accessing the URL endpoint, the website returns a JSON response containing information about registered users, including usernames. This exposes user account details to anyone who accesses the endpoint, without requiring authentication.

Impact: The username disclosure vulnerability poses a significant risk to the security and privacy of users on the website. Attackers can use the exposed usernames to attempt unauthorized access to user accounts, conduct targeted phishing attacks, or perform further reconnaissance to exploit additional vulnerabilities.


  Immediate Mitigation: Disable public access to the /wp-json/wp/v2/users/ endpoint to prevent unauthorized users from obtaining a list of user accounts.
  Patch Deployment: Implement a security patch or update provided by the website’s developers to address the username disclosure vulnerability.
  User Notification: Inform registered users of the vulnerability and advise them to change their passwords as a precautionary measure.
  Security Audit: Conduct a comprehensive security audit of the website to identify and remediate any additional vulnerabilities that may exist.

Additional Information: This report aims to assist in promptly addressing the username disclosure vulnerability on the website to safeguard user data and mitigate potential security risks. Urgent action is recommended to prevent exploitation and protect the website’s users from unauthorized access to their accounts.

Please feel free to reach out if further assistance or clarification is needed.

Sincerely, Nilesh

 23  Subject: Vulnerability Report: Transmission of Credenti ...Closed02.02.2024 Task Description

Subject: Vulnerability Report: Transmission of Credentials in Plain Text on

Dear Security Team,

I hope this email finds you well. I am writing to report a security vulnerability that I discovered on the platform regarding the transmission of credentials in plain text during the login process. This vulnerability poses a significant risk to the security and privacy of users' accounts and sensitive information.

Vulnerability Details:

Vulnerability Type: Transmission of Credentials in Plain Text
Website: Description:
During testing of the login process on the platform, I observed that user credentials (email and password) are transmitted in plain text or with minimal obfuscation. While the CSRF token appears to be encrypted, the email and password fields are transmitted without proper encryption, making them susceptible to interception and potential exploitation by malicious actors.

Steps to Reproduce:

Navigate to the login page.
Enter valid login credentials (email and password).
Intercept the login request using a tool such as Burp Suite.
Analyze the intercepted request to observe that the email and password are transmitted in plain text or with minimal obfuscation, while the CSRF token is encrypted.


Unauthorized Access: Attackers can intercept and extract user credentials, potentially leading to unauthorized access to user accounts and sensitive information.
Account Takeover: Malicious actors can exploit the vulnerability to gain unauthorized control over user accounts, posing a risk to the security and privacy of affected users.
Data Breach: The transmission of credentials in plain text exposes users' sensitive information to interception, increasing the risk of data breaches and privacy violations.


The severity of this vulnerability is considered critical due to the potential for unauthorized access, account takeover, and data breaches. It undermines the security and trustworthiness of the platform and poses significant risks to its users.
Recommendation for Mitigation:
To mitigate this vulnerability, I recommend the following actions:

Implement HTTPS encryption for all pages, especially those involving sensitive operations like login.
Ensure that all user credentials, including email and password, are transmitted securely using encryption techniques such as TLS.
Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to enhance the security of user accounts.
Conduct regular security assessments and audits to identify and address vulnerabilities in the platform's security controls.
I believe that addressing this vulnerability promptly is crucial to ensuring the security and privacy of users' accounts and sensitive information on the platform. I am available to provide further assistance or clarification on this matter if needed.

Thank you for your attention to this report, and I look forward to your prompt response and actions to address this vulnerability.

Neel Shukla

 32  Server Path Traversal + Information Disclosure on admin ...Closed15.02.2024 Task Description


I identified a vulnerability in the SSH function of, where the home directory setting is vulnerable to server path traversal.


1. Login to your account and visit

2. Edit the home directory from '/' to '/../../../../../../'

3. Next, save the settings and login to your SSH shell. Type ls. You'll discover your path has been traversed.

4. Access the /alwaysdata/etc/passwd folder to view the admin superusers. More information of other users are also available throughout the server.

For example;

/var/lib/extrausers/passwd shows all the other registered users on the server.

/usr/lib/python3/dist-packages/fail2ban/tests/files/logs/postfix display failban logs.

Other interesting files;




Restrict access to any parent directory, other than the container being run.

 24  Security Report:Broken Access Control (BAC) in [admin.a ...Closed01.02.2024 Task Description

Security Report:Broken Access Control (BAC) refers to a security vulnerability where users are able to access or manipulate resources that they are not authorized to

Broken Access Control (BAC) refers to a security vulnerability where users are able to access or manipulate resources that they are not authorized to. In this report, we will discuss an instance of BAC where a user is able to delete a technical support ticket to which they have been invited, even though they do not have the necessary permissions to do so.

The user who is added to the ticket does not have the permission to delete the ticket, he is not the one who created it.

Command used to delete:"Ticket_Number"/delete/

Steps to reproduce the bug:

1- Open a technical support ticket
2- Add a user with you in the ticket
3- Try the delete order I sent you
4- You will notice that the invited user can delete the ticket completely and this is not his prerogative

The impact of this vulnerability is significant as it compromises the integrity and confidentiality of the technical support system. Unauthorized deletion of tickets can lead to loss of important information, disruption of support services, and potential security breaches if sensitive information is contained within the tickets.

 33  Privilege Escalation in - Academic ...Closed16.02.2024 Task Description


A vulnerability has been discovered in the student management system, which allows a normal user account to bypass access controls. ANY registered low-level user, with no knowledge or involvement in a class, can globally detach any student involved just by manipulating the UID. Even without tutorship/academic privileges and regardless of tutor access control.


A malicious attacker could fuzz predictable UID values and remove multiple students, abusing the privesc as a nuisance.


1) First, we logged in to an actual tutor account where I've added a few students. Next, I take note of the IDs of each student involved.

2) Then, I logged out and just to validate this exploit, I would create a NEW account.

3) This is the vulnerable endpoint:<USER_ID>

I replaced the <USER_ID> param with the various IDs I recorded from the tutor account.

4) Visit these URLs on the new account and observe the results.

5) Then, log out and re-login to the tutor account. Visit and confirm poc validity.


Implement proper access controls and role-based permissions to restrict normal users from utilizing global admin/tutor privileges. Conduct a thorough review of the authentication and authorization processes to ensure that no other similar vulnerabilities exist.

POC video:

 14  Potential SSRF Vulnerability via Self-XSS Closed18.01.2024 Task Description


During a penetration testing process, I discovered a Self-XSS vulnerability on the page https:// This vulnerability has the potential to escalate into a Server-Side Request Forgery (SSRF) attack, allowing attackers to make unauthorized requests from the server. This poses risks such as data breaches and potential compromise of internal systems.

While the initial exploitation may require self-XSS, the underlying issue of unvalidated user input leading to SSRF is a critical vulnerability that must be addressed.

Steps To Reproduce:

Step 1 : Open BurpSuite.

Step 2 : Navigate to the following link in a web browser Capture the traffic.Paste the payloads into the intercepted Request Body.

Payload 1:


  (This payload triggers an alert displaying the value of document.domain.)

Payload 2:

{"addresses":["<img src=>"]}

  (This payload makes unauthorized requests from the server.)

The second payload initiates unauthorized requests from the server. In the above payloads, I utilized OAST to examine the responses.


Attackers could steal sensitive information stored on the server.
By crafting malicious URLs, attackers could gain access to internal network resources that are not publicly accessible.

 46  Open Redirection Vulnerability Closed13.04.2024 Task Description

Hi Team,

I hope this email finds you well.
I am Ali Haider, a security researcher and a penetration tester. I have been a bug bounty hunter for almost 2 years now. I always enjoyed the challenge of finding vulnerabilities, as it always felt like a great achievement to find them. I wanted to bring to your attention a Open Redirection Vulnerability I encountered while using your website.

 12  No rate limit on Submit tickets Closed15.01.2024 Task Description

Hi team,
iam an ethical hacker, web application penetration tester and bug bounty hunter.
I found a new Vulnerability So iam reporting it to you now.

Vulnerability: No rate limit on Submit tickets

I have identified a vulnerability in the organization's Submit tickets system, where the request to Submit tickets has no rate limit.

To reproduce this issue, follow the steps below:
Step 1: Go to the organization's website: Step 2: fill the form by typing "1" in the "subject" section and type "2" in the Message" section and intercept the request using Burp Suite.
Step 3: Send this request to Intruder and make the payload on "1" that belongs to "subject" section then go to payloads and add numbers from 2 to 20.
Step 4: then start the attack.
Step 5: Observe that the 20 tickets send to support.
Please see my attached screenshots too.

This demonstrates that the vulnerability allows for mass tickets or tickets bombing to the organization, which is detrimental to business operations.

1- Increased Load on Servers: Without a rate limit, there could be a significant increase in the number of requests to the server, which could lead to excessive load.
2- Vulnerability to Attacks: It could make the organization more vulnerable to attacks such as Denial of Service (DoS).
In a DoS attack, an attacker could flood the system with requests, consuming too much network capacity, storage, and memory.
3- Compromised User Experience: If the server is overwhelmed with requests, it could slow down the system for legitimate users.

I used an email address "".com",
You can check the tickets that have sent from it.
I made the above scenario with this email address.

To mitigate this vulnerability, it is recommended to implement additional security measures such as adding a CAPTCHA or implementing rate limiting on the invitation endpoint.
By adding these measures, the organization can prevent malicious users from exploiting the system and protect the business and its users from the negative consequences of mass mailing attacks.

I hope my report will keep you in safe

 40   No Rate Limit On Reset Password in ...Closed27.03.2024 Task Description

No Rate Limit On Reset Password in

welcome all :
i found that no rate limit in reset password in ::: Summary:
No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
Steps To Reproduce The Issue
1- create account and go to reset password
2- intercept burp and send request to intruder
3- make payload and start attack

1- Attacker could use this vulnerability to bomb out the email inbox of the victim.
2- Attacker could send Spear-Phishing to the selected mail address.
3-Causing financial losses to the company

 51  Multiple Free Public Cloud accounts obtained by a singl ...Closed25.04.2024 Task Description


Alwaysdata allows users to create a Free Public Cloud (100MB) account. Each user is limited to having only one Free Public Cloud (100MB account. However, I discovered that a user can bypass this restriction and obtain multiple Free Public Cloud (100MB) accounts by asking other users to create a new free account and then transfer ownership of that account to them.

Reproduction Steps

1. User A creates a new Free Public Cloud (100MB) storage account
2. User B creates a new Free Public Cloud (100MB)storage account
3. User B transfers ownership of their account to User A through:
4. User A now has two Free Public Cloud (100MB)storage accounts (their original account and the one transferred from User B)
5. This process can be repeated with same user B for unlimited times to accumulate unlimited no of free accounts.


By exploiting account ownership transfers, a user can essentially obtain unlimited free storage, potentially leading to loss for alwaysdata


Implement additional checks and restrictions to prevent users from obtaining multiple free accounts through ownership transfers. Possible mitigations could include:

1. Limiting the number of free accounts a user can own, regardless of the acquisition method (creation or transfer).
2. Disallowing ownership transfers for free accounts or requiring explicit approval from the service provider.
3. Automatically consolidating multiple free accounts under the same user into a single account, preserving the total storage limit.

Proof of Concept:

I was able to accumulate 3 free accounts for user: poc image :

 13  Lack of Verification Email  Closed16.01.2024 Task Description


The website lacks proper email verification.During the user registration process,it only sending a greeting email upon registration. The absence of email verification could lead to create unverified accounts and host content with any email address, potentially poses a serious security risk.

Impact :

The absence of email verification poses a significant security risk, allowing the potential use of any email address for registration on a hosting site without proper authentication. This could lead to the creation of accounts under false identities, enabling malicious actors to host illegal content anonymously.
The free hosting service, which doesn't require valid details, may be exploited for unauthorized activities, emphasizing the need for robust email verification procedures to ensure account legitimacy and prevent abuse like.

Spam distribution

Phishing campaigns

Distribution of illegal or harmful content

Reputational damage to the platform

So, I am Reporting this issue to the platform's security team for addressing the vulnerability and enhancing overall security.

 54  Lack of Verification Email Closed06.06.2024 Task Description

### Summary
The website does not verify email addresses during the account creation process, which can lead to various security issues such as spam, abuse, and account recovery problems.

### Steps to Reproduce
1. Go to the account creation page. 2. Enter any email address and complete the registration process.
3. Notice that no email verification step is required.

### Impact
- Spam and Abuse: Unverified accounts can be used to flood the system with spam or perform malicious activities.
- User Impersonation: An attacker can use someone else's email address, leading to possible impersonation issues.
- Account Recovery Problems: Users might face difficulties in recovering their accounts if email addresses are not verified.

### Recommendation
Implement email verification as a mandatory step in the account creation process to ensure that the email addresses are valid and belong to the users registering them.

 17  Lack of password confirmation on account deletion Closed19.01.2024 Task Description

Hello support teams,
I hope this email finds you well. I am Devansh . I am a security researcher and I found a vulnerability in your website.

bug name : Lack of password confirmation on account deletion

Description: the user account can be deleted without confirming user password or re authentication.
The removal of an account is one of the sensitive parts of any application that needs to be protected, therefore removing an account should validate the authenticity of the legitimate user.

steps to reproduce:

1. Go to account settings and click on delete account.

2. There will be a next page where I click on delete my account now option.

3. You will see the message of account has been deleted and get logged out

System must confirm authentic user before performing such task. A link can be sent to the user email id that can be used for delete operation. Otherwise user password should be provided to the application to confirm the entity identity.

It seems to be of very low impact,but consider a situation when a user forgets to logout from his account or someone gets access to his phone and deletes the account. This situation is more severe than account takeover as there is no way to get an account again. All the save information and data including previous record, card information etc can be deleted.

video poc is attached

Thanks and regards


 53  Lack of Email Confirmation During Account Creation Closed05.06.2024 Task Description

Severity: High

Vulnerability Description:
The website allows users to create accounts without verifying their email addresses. This practice poses significant security and usability risks.


Spam and Fake Accounts:

Malicious users can create multiple fake accounts, leading to spam and abuse of the platform.
Automated scripts (bots) can exploit this vulnerability to flood the system with fake accounts, overwhelming resources and degrading performance.
Account Security:

Unauthorized users can create accounts using someone else's email address, potentially leading to privacy breaches and unauthorized access to personal information.
Genuine users might be unable to access their accounts if their email addresses are misused by others.

Communication Failures:

Users may not receive important notifications, updates, or password reset instructions, leading to poor user experience and support issues.

Reputation and Trust:

The lack of basic security measures can lead to loss of trust among users and damage the website's reputation.
Users might perceive the platform as insecure and unreliable, leading to reduced user retention and engagement.
Steps to Reproduce:
Navigate to the account creation page.
Enter any email address (including ones that do not belong to the user) and complete the registration process.
Observe that the account is created and accessible without any email verification step.

Recommended Mitigation:

Implement Email Verification:

During registration, send a confirmation email to the provided email address containing a unique verification link.
Require users to click on the verification link to activate their accounts.

Incorporate CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) during the registration process to prevent automated bots from creating accounts.

Rate Limiting:

Implement rate limiting on the account creation endpoint to prevent mass account creation from the same IP address within a short period.

Audit Existing Accounts:

Review existing accounts for potential fake or unauthorized accounts and take appropriate actions, such as sending verification requests or disabling suspect accounts.

OWASP Authentication Cheat Sheet: OWASP Authentication Cheat Sheet
NIST Digital Identity Guidelines: NIST SP 800-63B

 43  Information Disclosure PHPpgAdmin Closed03.04.2024 Task Description

Vulnerability Detail

PHPpgAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details.

Vulnerable Endpoints You can add a server via this endpoint

Impact Its possible for an attacker to configure the servers without information of the application adminstrator.

 30  Information Disclosure on cAdvisor software via Origin  ...Closed16.02.2024
 47  information disclosure Closed13.04.2024
 35  Git Folder Forbidden Bypass Closed22.02.2024
 18  .git file exposed Closed18.01.2024
 42  Git Configuration Exposure Closed27.03.2024
 41  Directory Listing of Unauthorized Xapian Files Closed27.03.2024
 52  Direct IP Access of the Domain on HTTP Closed05.06.2024
 38  Bug Title: Prototype Pollution Vulnerability Report Closed19.03.2024
 45  Bug Title: Missing access control at password change. Closed09.04.2024
 21  Bug Bounty Report Closed04.02.2024
 31  Broken Access Vulnerability via 'Impossible deletion' E ...Closed16.02.2024
 26  #1 Crititical Vulnerability Name: No Rate Limit in addi ...Closed06.02.2024
Showing tasks 1 - 37 of 37 Page 1 of 1

Available keyboard shortcuts


Task Details

Task Editing