| 4829 | #BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) |
Host header injection
IDOR |
BookMyShow |
Avinash Jain (@logicbomb_1) |
Bug Bounty | 2018-03-25 | 2023-06-13 |
| 4441 | Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account) |
Host header injection |
NA |
Logical Bimboo |
Bug Bounty | 2018-11-30 | 2023-06-13 |
| 3929 | Pwn Them All #BugBounty |
Host header injection
Password reset |
NA |
Bilal Khan (@bilalmerokhel) |
Bug Bounty | 2019-09-11 | 2023-06-13 |
| 3784 | Multiple Host Header Attacks after bypassing protection with… a Header Attack |
Host header injection |
NA |
vict0ni (@vict0ni) |
Bug Bounty | 2019-12-12 | 2023-06-13 |
| 3709 | How I was able to take over any users account with host header injection |
Host header injection |
NA |
Ajay Gautam (@evilboyajay) |
Bug Bounty | 2020-01-23 | 2023-06-13 |
| 3603 | How I earned $800 for Host Header Injection Vulnerability |
Host header injection
Password reset |
NA |
Pethuraj (@Pethuraj) |
Bug Bounty | 2020-03-15 | 2023-06-13 |
| 3413 | Different host header injection worth 2k |
Host header injection |
NA |
Imran Nissar (@Imrannissar3) |
Bug Bounty | 2020-06-07 | 2023-06-13 |
| 3334 | From Host Header injection to SQL injection |
Host header injection
SQL injection |
NA |
Daoud Youssef / smacker dodi (@daoud_youssef) |
Bug Bounty | 2020-07-05 | 2023-06-13 |
| 3203 | Fun with header and forget password, with a twist: |
Password reset
Host header injection |
NA |
Vuk Ivanovic |
Bug Bounty | 2020-08-18 | 2023-06-13 |
| 3107 | ATO via Host Header Poisoning |
Host header injection
Account takeover
Password reset |
NA |
Shivam Kamboj Dattana (@sechunt3r) |
Bug Bounty | 2020-10-08 | 2023-06-13 |
| 2770 | Hijacking Reset Password Link in https://www.niteflirt.com/ via Host Header Poising (Write Up) |
Host header injection
Account takeover
Password reset |
Niteflirt |
Evan Ricafort (@evanricafort) |
Bug Bounty | 2021-02-25 | 2023-06-13 |
| 2767 | Password Reset Token Leak via X-Forwarded-Host |
Host header injection
Account takeover
Password reset |
NA |
Saajan Bhujel (@saajanbhujel) |
Bug Bounty | 2021-02-26 | 2023-06-13 |
| 2547 | Drupal Insecure Default Leads To Password Reset Poisoning |
Password reset
Host header injection |
Drupal |
Bogdan Tiron (@Bogdan___T) |
Bug Bounty | 2021-05-29 | 2023-06-13 |
| 2380 | You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset Procedures |
Password reset
Host header injection
CSRF
Account takeover |
NA |
Tommaso Innocenti (@innotommy) |
Bug Bounty | 2021-07-26 | 2023-06-13 |
| 2037 | HTTP Header Injection In Citrix ADC And Citrix Gateway (CVE-2020-8300, CVE-2021-22927) |
Host header injection
XSS |
Citrix Systems |
Wolfgang Ettlinger |
Bug Bounty | 2021-11-30 | 2023-06-13 |
| 1932 | Host Header Injection Lead To Account Takeovers |
Host header injection
Password reset
Account takeover |
NA |
M7.Arman (@ArmanSecurity) |
Bug Bounty | 2022-01-09 | 2023-06-13 |
| 1875 | XSS via X-Forwarded-Host header |
XSS
Host header injection |
Omise |
Abhijeet Biswas (@abhijeetbiswas_) |
Bug Bounty | 2022-01-30 | 2023-06-13 |
| 1402 | ($$$) Origin ip to account takeover |
WAF bypass
Password reset
Host header injection
Account takeover |
NA |
Hemant Kumar |
Bug Bounty | 2022-07-02 | 2023-06-13 |
| 1308 | CVE-2022-31813: Forwarding Addresses Is Hard |
Host header injection
DoS
IP address spoofing |
Internet Bug Bounty (Apache HTTPD) |
Gaetan Ferry (@_mabote_) |
Bug Bounty | 2022-07-26 | 2023-06-13 |
| 1236 | UN United Nations Host Header Injection leads to any Full Account Takeover (ATO) |
Host header injection
Password reset
Account takeover |
United Nations |
Ahmed Hassan |
Bug Bounty | 2022-08-13 | 2023-06-13 |
| 504 | Host Header Injection to Complete Organization takeover |
SSRF
Host header injection
Privilege escalation |
NA |
Muhammad Umer Adeem |
Bug Bounty | 2023-02-02 | 2023-06-13 |
