A researcher bypassed file upload restrictions on a crypto trading platform by manipulating Content-Type headers, uploaded a PHP shell for RCE, extracted database credentials, and gained the ability to modify user account balances, resulting in a P1 severity rating.
XSS vulnerability in InternShala discovered via a JSON endpoint with incorrect text/html content-type header, exploited through multiple filter bypasses including whitespace replacement with +, confirm() instead of alert(), backticks for parentheses, and URL encoding for closing tags.
A JSON-based CSRF vulnerability was discovered on Badoo's mobile site (m.badoo.com) allowing attackers to perform account deletion and contact erasure without CSRF tokens by leveraging HTML form submissions with text/plain encoding to bypass JSON content-type restrictions. The researcher crafted HTML forms that automatically execute privileged API actions when visited by authenticated victims, resulting in a $280 bounty.