Skip to content

Latest commit

 

History

History
130 lines (129 loc) · 18.2 KB

TOPSTARBUCKS.md

File metadata and controls

130 lines (129 loc) · 18.2 KB
Raw

Top reports from Starbucks program at HackerOne:

  1. SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database to Starbucks - 737 upvotes, $4000
  2. JumpCloud API Key leaked via Open Github Repository. to Starbucks - 709 upvotes, $4000
  3. Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 671 upvotes, $4000
  4. RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ to Starbucks - 538 upvotes, $4000
  5. XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx to Starbucks - 308 upvotes, $4000
  6. Subdomain takeover of datacafe-cert.starbucks.com to Starbucks - 302 upvotes, $2000
  7. Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg to Starbucks - 225 upvotes, $5600
  8. Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data to Starbucks - 221 upvotes, $4000
  9. Singapore - Account Takeover via IDOR to Starbucks - 218 upvotes, $6000
  10. Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 217 upvotes, $4000
  11. Blind SQL Injection on starbucks.com.gt and WAF Bypass :* to Starbucks - 201 upvotes, $500
  12. sdrc.starbucks.com - Information Disclosure via unsecured attachment directory to Starbucks - 194 upvotes, $4000
  13. Reflected Cross site Scripting (XSS) on www.starbucks.com to Starbucks - 165 upvotes, $375
  14. Bug in GraphQL and API integration leads to limited user address disclosure to Starbucks - 136 upvotes, $1000
  15. Subdomain takeover of mydailydev.starbucks.com to Starbucks - 120 upvotes, $2000
  16. Subdomain takeover of d02-1-ag.productioncontroller.starbucks.com to Starbucks - 119 upvotes, $2000
  17. China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint to Starbucks - 112 upvotes, $4000
  18. Subdomain takeover on svcgatewayus.starbucks.com to Starbucks - 105 upvotes, $2000
  19. Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record to Starbucks - 103 upvotes, $2000
  20. Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication. to Starbucks - 92 upvotes, $0
  21. Subdomain takeover on wfmnarptpc.starbucks.com to Starbucks - 86 upvotes, $2000
  22. Multiple Subdomain takeovers via unclaimed instances to Starbucks - 80 upvotes, $8000
  23. Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/ to Starbucks - 78 upvotes, $4000
  24. Reflected XSS in https://www.starbucks.co.jp/store/search/ to Starbucks - 72 upvotes, $250
  25. Reflected cross-site scripting on multiple Starbucks assets. to Starbucks - 72 upvotes, $150
  26. Leaking sensitive files on Github leads to internal files (python scripts,SQL files) to Starbucks - 71 upvotes, $4000
  27. Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome to Starbucks - 70 upvotes, $1050
  28. China - president-starbucks.com.cn DNS configuration reported as takeover to Starbucks - 70 upvotes, $1000
  29. Parameter Manipulation allowed for viewing of other user’s teavana.com orders to Starbucks - 66 upvotes, $6000
  30. Cross-Site Scripting (XSS) on www.starbucks.com | .co.uk login pages to Starbucks - 63 upvotes, $500
  31. [mena.starbucks.com] Laravel App Log & Configuration Disclosure. to Starbucks - 61 upvotes, $500
  32. Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604) to Starbucks - 57 upvotes, $4000
  33. Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload to Starbucks - 57 upvotes, $0
  34. WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass) to Starbucks - 56 upvotes, $150
  35. Information disclosure on sim.starbucks.com to Starbucks - 54 upvotes, $0
  36. Open Redirection in Login - Korean Starbucks to Starbucks - 52 upvotes, $0
  37. Subdomain takeover on developer.openapi.starbucks.com to Starbucks - 49 upvotes, $2000
  38. Java Deserialization RCE via JBoss on card.starbucks.in to Starbucks - 48 upvotes, $0
  39. Information Leak - Github - JMS Information to Starbucks - 46 upvotes, $1000
  40. Unauthorized access to jiratest.starbucks.com to Starbucks - 45 upvotes, $4000
  41. China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability to Starbucks - 45 upvotes, $0
  42. Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in to Starbucks - 41 upvotes, $0
  43. Reflected XSS in https://www.starbucks.com/account/create/redeem/MCP131XSR via xtl_amount, xtl_coupon_code, xtl_amount_type parameters to Starbucks - 40 upvotes, $250
  44. svcardproxydevus.starbucks.com Subdomain take over to Starbucks - 38 upvotes, $2000
  45. PHPinfo page to Starbucks - 38 upvotes, $0
  46. Stored XSS on www.starbucks.com.sg/careers/career-center/career-landing-* to Starbucks - 37 upvotes, $500
  47. Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com to Starbucks - 35 upvotes, $4000
  48. Persistent XSS in www.starbucks.com to Starbucks - 35 upvotes, $500
  49. www.starbucks.co.uk Reflected XSS via utm_source parameter to Starbucks - 35 upvotes, $375
  50. Able to purchase a gift card with any amount to Starbucks - 34 upvotes, $0
  51. China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn to Starbucks - 34 upvotes, $0
  52. Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions. to Starbucks - 33 upvotes, $4000
  53. Starbucks China Android app cloud storage service leaks a credential. to Starbucks - 33 upvotes, $500
  54. Time-based Blind SQLi on news.starbucks.com to Starbucks - 33 upvotes, $0
  55. CRLF injection on www.starbucks.com to Starbucks - 30 upvotes, $250
  56. athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection to Starbucks - 30 upvotes, $0
  57. SSRF at ideas.starbucks.com to Starbucks - 28 upvotes, $1000
  58. Singapore - XXE at https://www.starbucks.com.sg/RestApi/soap11 to Starbucks - 28 upvotes, $500
  59. Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card to Starbucks - 28 upvotes, $0
  60. Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml to Starbucks - 27 upvotes, $750
  61. SQL injection in partner id field on https://www.teavana.com (Sign-up form) to Starbucks - 26 upvotes, $250
  62. DOM XSS on app.starbucks.com via ReturnUrl to Starbucks - 26 upvotes, $250
  63. Norway - store.starbucks.no - CSRF on email change to Starbucks - 26 upvotes, $0
  64. Bulgaria - Subdomain takeover of mail.starbucks.bg to Starbucks - 25 upvotes, $1000
  65. XSS on https://www.starbucks.co.uk (can lead to credit card theft) (/shop/paymentmethod) to Starbucks - 25 upvotes, $500
  66. Full Api Access and Run All Functions via Starbucks App to Starbucks - 25 upvotes, $0
  67. Possible subdomain takeover at openapi.starbucks.com to Starbucks - 24 upvotes, $2000
  68. SAP Server - default credentials enabled to Starbucks - 24 upvotes, $250
  69. [stagecafrstore.starbucks.com] CRLF Injection, XSS to Starbucks - 24 upvotes, $0
  70. Account take over of 'light' starbuckscardb2b users to Starbucks - 24 upvotes, $0
  71. Thailand - IDOR on www.starbuckscardth.in.th: A logged in user could view any Thailand Starbucks card balance if they knew that Starbucks card number to Starbucks - 24 upvotes, $0
  72. Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) to Starbucks - 22 upvotes, $375
  73. [newscdn.starbucks.com] CRLF Injection, XSS to Starbucks - 22 upvotes, $0
  74. unuse domain still in using at wechat by Starbucks East China to Starbucks - 21 upvotes, $1000
  75. DVR default username and password to Starbucks - 21 upvotes, $375
  76. Unauthorized access to a system used for CI/CD processes to Starbucks - 20 upvotes, $500
  77. Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites to Starbucks - 19 upvotes, $750
  78. Stored XSS in comments on https://www.starbucks.co.uk/blog/* to Starbucks - 19 upvotes, $500
  79. Thailand – a small number of alarm system portals accessible with the default credentials to Starbucks - 19 upvotes, $500
  80. Improper handling of payment callback allows topping up a Swiss Starbucks Card bypassing actual payment via a crafted success message to Starbucks - 19 upvotes, $0
  81. Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud to Starbucks - 18 upvotes, $0
  82. Host header injection/redirection via newsletter signup to Starbucks - 17 upvotes, $150
  83. DOM-based XSS in store.starbucks.co.uk on IE 11 to Starbucks - 17 upvotes, $100
  84. Default credentials for the temporary POC site alipoc.stg.starbucks.com.cn permitted WAF bypass and RCE to Starbucks - 17 upvotes, $0
  85. Exposed Unencrypted Telnet Endpoint to Starbucks - 16 upvotes, $0
  86. Able to reset other user's password in https://card.starbucks.com.sg/ to Starbucks - 16 upvotes, $0
  87. India - OTP bypass on Phone number verification for account creation to Starbucks - 16 upvotes, $0
  88. Korea - LFI Server directory traversal at starbucks.co.kr to Starbucks - 15 upvotes, $500
  89. DOM XSS on teavana.com via "pr_zip_location" parameter to Starbucks - 15 upvotes, $250
  90. Reflected XSS on teavana.com (Locale-Change) to Starbucks - 15 upvotes, $250
  91. Backup Source Code Detected to Starbucks - 15 upvotes, $250
  92. Dom Based Xss DIV.innerHTML parameters store.starbucks* to Starbucks - 15 upvotes, $150
  93. Sidekiq web UI (Ruby background processing) accessible unauthenticated via https://gift-test.starbucks.co.jp/sidekiq/busy to Starbucks - 15 upvotes, $0
  94. Singapore - IDOR in campaign.starbucks.com.sg to Starbucks - 15 upvotes, $0
  95. Minimal information disclosure of internal asset names and links which were not publicly accessible. to Starbucks - 14 upvotes, $0
  96. out of date disqus shortname usage in the web app source code to Starbucks - 13 upvotes, $750
  97. Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) to Starbucks - 13 upvotes, $375
  98. Reflected XSS on https://www.starbucks.co.uk/shop/paymentmethod/ (bypass for 227486) to Starbucks - 12 upvotes, $250
  99. Reflected DOM XSS on www.starbucks.co.uk to Starbucks - 12 upvotes, $250
  100. http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks. to Starbucks - 11 upvotes, $0
  101. CSRF: add item to victim's cart automatically (starbucks.com - updatecart) to Starbucks - 10 upvotes, $250
  102. India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance to Starbucks - 10 upvotes, $250
  103. CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) to Starbucks - 10 upvotes, $150
  104. Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= to Starbucks - 10 upvotes, $0
  105. CSRF in Report Lost or Stolen Page https://www.starbucks.com/account/card to Starbucks - 9 upvotes, $250
  106. Stored XSS in Adress Book (starbucks.com/account/profile) to Starbucks - 9 upvotes, $100
  107. Missing CSRF Token On Remove Coupun From Cart to Starbucks - 9 upvotes, $0
  108. Open Redirect on Greater Asia domains to Starbucks - 9 upvotes, $0
  109. Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks. to Starbucks - 8 upvotes, $0
  110. Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud to Starbucks - 8 upvotes, $0
  111. [connect.teavana.com] Open Redirect and abuse of connect.teavana.com to Starbucks - 8 upvotes, $0
  112. Missing CSRF Token On Add Coupon To Basket to Starbucks - 8 upvotes, $0
  113. CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) to Starbucks - 7 upvotes, $375
  114. Password Change not notified when changed from settings to Starbucks - 7 upvotes, $0
  115. Hong Kong - Open Redirect on card.starbucks.com.hk to Starbucks - 7 upvotes, $0
  116. Thailand - SNMP Publicly Accessible to Starbucks - 7 upvotes, $0
  117. Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter to Starbucks - 6 upvotes, $250
  118. Korea - Reflected XSS on https://www.istarbucks.co.kr/app/getGiftStock.do via "skuNo" and "skuImgUrl" parameters to Starbucks - 6 upvotes, $250
  119. Information Exposure Through an Error Message at news.starbucks.com to Starbucks - 5 upvotes, $0
  120. Create New User Whilst Logged On to Starbucks - 4 upvotes, $0
  121. csrf blogs.starbucks.com to Starbucks - 4 upvotes, $0
  122. Able to bypass information requirements before launching a Chat. to Starbucks - 4 upvotes, $0
  123. Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter to Starbucks - 3 upvotes, $250
  124. China - Leaked credentials permitted a limited ability to create Starbucks coupons and cards to Starbucks - 3 upvotes, $0
  125. Unable to register in starbucks IN app to Starbucks - 2 upvotes, $0
  126. China - Open redirect at trackinghub.starbucks.com.cn to Starbucks - 2 upvotes, $0
  127. Unable to register in starbucks app to Starbucks - 1 upvotes, $0
  128. SQL Injection Proof of Concept for Starbucks URL to Starbucks - 1 upvotes, $0