| Account Takeover through registration to the same email address |
Improper Authentication - Generic |
avolume |
High |
2021-12-08 |
| account takeover through password reset in url https://reklama.tochka.com/ |
Improper Authentication - Generic |
anonymouus |
High |
2021-12-02 |
| HTTP Request Smuggling on api.flocktory.com Leads to XSS on Customer Sites |
HTTP Request Smuggling |
wdahlenb |
Critical |
2021-09-29 |
| CVE-2020-3187 - unauthenticated arbitrary file deletion in Cisco |
Path Traversal |
lalit2020 |
Medium |
2021-09-24 |
| [QIWI Wallet] Access to protected app components |
Privilege Escalation |
shell_c0de |
High |
2021-07-06 |
| Unauthenticated SSRF in jira.tochka.com leading to RCE in confluence.bank24.int |
Code Injection |
alexeypetrenko |
Critical |
2021-06-29 |
| account impersonate through broken link |
Phishing |
nowsafe |
Medium |
2021-06-04 |
| SSRF на https://qiwi.com с помощью "Prerender HAR Capturer" |
Server-Side Request Forgery (SSRF) |
myway |
Critical |
2021-05-22 |
| Account takeover just through csrf in https://booking.qiwi.kz/profile |
Improper Access Control - Generic |
sniper302 |
Medium |
2021-05-20 |
| MobileIron Unauthenticated RCE on mdm.qiwi.com with WAF bypass |
Deserialization of Untrusted Data |
kalimer0x00 |
Critical |
2021-04-27 |
| Remote Code Execution on contactws.contact-sys.com via SQL injection in TPrabhuObject.BeginOrder in parameter DOC_ID |
Code Injection |
honoki |
Critical |
2021-04-14 |
| Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID |
Code Injection |
honoki |
Critical |
2021-04-14 |
| Слив какого-то access токена |
None supplied |
circuit |
Medium |
2020-11-12 |
| IDOR редактирование любого вишлиста |
Insecure Direct Object Reference (IDOR) |
circuit |
No rating |
2020-11-12 |
| [qiwi.me] Stored XSS |
None supplied |
circuit |
High |
2020-11-12 |
| [qiwi.me] Stored XSS |
None supplied |
circuit |
High |
2020-11-12 |
| Keychain data persistence may lead to account takeover |
Insufficient Session Expiration |
0x3c3e |
Low |
2020-09-07 |
| DOM XSS triggered in secure support desk |
Cross-site Scripting (XSS) - DOM |
honoki |
Critical |
2020-08-31 |
| DOM XSS triggered in secure support desk |
Cross-site Scripting (XSS) - DOM |
honoki |
Critical |
2020-08-31 |
| Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" |
Code Injection |
honoki |
Critical |
2020-06-19 |
| SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution |
Code Injection |
honoki |
Critical |
2020-06-19 |
| SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution |
Code Injection |
honoki |
Critical |
2020-06-19 |
| XSS https://agent.postamat.tech/ в профиле + дисклоз секретной информации |
None supplied |
circuit |
Medium |
2020-05-25 |
| Обход комиссии при оплате картой |
None supplied |
circuit |
Critical |
2019-11-05 |
| account takeover https://qiwi.me |
None supplied |
circuit |
Critical |
2019-10-11 |
| account takeover https://idea.qiwi.com/ |
Session Fixation |
circuit |
Critical |
2019-08-28 |
| account takeover https://teamplay.qiwi.com |
None supplied |
circuit |
Critical |
2019-08-28 |
| Обход комиссии на переводы |
Business Logic Errors |
circuit |
Critical |
2019-07-08 |
| Imformation Disclosure on id.rapida.ru |
Information Disclosure |
danila_xawdxawdx |
Low |
2018-06-11 |
| [wallet.rapida.ru] Mass SMS flood |
Brute Force |
bigbear_ |
Medium |
2018-05-18 |
| https://fundl.qiwi.com CSRF на подтверждении sms |
None supplied |
lincoln9932 |
Medium |
2018-03-11 |
| apache access.log leakage via long request on https://rapida.ru/ |
Buffer Over-read |
tsug0d |
High |
2018-02-05 |
| Information disclosure on https://paycard.rapida.ru |
Information Disclosure |
tikoo_sahil |
No rating |
2018-01-20 |
| [qiwi.com] XSS on payment form |
Cross-site Scripting (XSS) - Reflected |
nstikhomirov |
High |
2017-10-17 |
| Xss on billing |
Cross-site Scripting (XSS) - Generic |
nstikhomirov |
No rating |
2017-06-13 |
| [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS |
Cross-site Scripting (XSS) - Generic |
nstikhomirov |
Medium |
2017-06-13 |
| Content Spoofing in mango.qiwi.com |
Improper Authentication - Generic |
cyberunit |
No rating |
2017-04-07 |
| Open Redirect in meeting.qiwi.com |
Open Redirect |
cyberunit |
No rating |
2017-04-06 |
| [qiwi.com] Information Disclosure |
Information Disclosure |
bobrov |
Medium |
2017-03-31 |
| [qiwi.com] .bash_history |
Information Disclosure |
bobrov |
Low |
2017-03-27 |
| Stored xss in agent.qiwi.com |
Cross-site Scripting (XSS) - Generic |
4lemon |
No rating |
2017-03-27 |
| [ibank.qiwi.ru] UI Redressing via Request-URI |
Violation of Secure Design Principles |
bobrov |
Medium |
2017-03-27 |
| Раскрытие баланса на //kopilka.qiwi.com |
Information Disclosure |
nstikhomirov |
Medium |
2017-03-10 |
| [XSS/3dsecure.qiwi.com] 3DSecure XSS |
Cross-site Scripting (XSS) - Generic |
nstikhomirov |
Medium |
2017-03-10 |
| [rubm.qiwi.com] Yui charts.swf XSS |
Cross-site Scripting (XSS) - Generic |
kxyry |
No rating |
2016-12-01 |
| [qiwi.com] Oauth захват аккаунта |
Improper Authentication - Generic |
kxyry |
No rating |
2016-11-26 |
| [qiwi.com] Open Redirect |
Open Redirect |
bobrov |
No rating |
2016-10-25 |
| CRLF Injection [ishop.qiwi.com] |
None supplied |
bobrov |
No rating |
2016-10-25 |
| XML External Entity (XXE) in qiwi.com + waf bypass |
None supplied |
artsploit |
No rating |
2016-07-26 |
| SSL Certificate on qiwi.com will expire soon. |
Cryptographic Issues - Generic |
ngaurav |
No rating |
2016-06-06 |
| XSS Reflected in test.qiwi.ru |
Cross-site Scripting (XSS) - Generic |
hassham |
No rating |
2015-12-11 |
| Открытый доступ к корпоративным данным. |
Improper Authentication - Generic |
cyberunit |
No rating |
2015-11-02 |
| Session Cookie without HttpOnly and secure flag set |
Violation of Secure Design Principles |
pradeepch99 |
No rating |
2015-09-27 |
| [ishop.qiwi.com] XSS + Misconfiguration |
Cross-site Scripting (XSS) - Generic |
kxyry |
No rating |
2015-08-31 |
| Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails |
Information Disclosure |
jmiroche |
No rating |
2015-01-18 |
| [static.qiwi.com] XSS proxy.html |
Cross-site Scripting (XSS) - Generic |
smiegles |
No rating |
2014-12-27 |
| Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number |
Violation of Secure Design Principles |
born2hack |
No rating |
2014-12-21 |
| [qiwi.com] /oauth/confirm.action XSS |
Cross-site Scripting (XSS) - Generic |
akhil-reni |
No rating |
2014-12-20 |
| [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ |
Denial of Service |
bitquark |
No rating |
2014-12-18 |
| [send.qiwi.ru] XSS at auth?login= |
Cross-site Scripting (XSS) - Generic |
psych0tr1a |
No rating |
2014-12-17 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles