Reports in zomato program: S.No Title Bounty 1 [www.zomato.com] SQLi - /php/██████████ - item_id $4500.0 2 Claiming the listing of a non-delivery restaurant through OTP manipulation $3250.0 3 Availing Zomato gold by using a random third-party wallet_id $2000.0 4 Solr Injection in user_id parameter at :/v2/leaderboard_v2.json $2000.0 5 [www.zomato.com] Blind SQL Injection in /php/geto2banner $2000.0 6 [www.zomato.com] Blind SQL Injection in /php/widgets_handler.php $2000.0 7 SQL Injection in www.hyperpure.com $2000.0 8 Improper Validation at Partners Login $2000.0 9 Add upto 10K rupees to a wallet by paying an arbitrary amount $2000.0 10 Possible to enumerate Addresses of users using AddressId and guessing the delivery_subzone $1500.0 11 Login to any account with the emailaddress $1000.0 12 [www.zomato.com] Union SQLi + Waf Bypass $1000.0 13 [https://reviews.zomato.com] Time Based SQL Injection $1000.0 14 [www.zomato.com] Boolean SQLi - /█████.php $1000.0 15 [www.zomato.com] Boolean SQLi - /███████.php $1000.0 16 [www.zomato.com] SQLi on order_id parameter $1000.0 17 Information Disclosure through Sentry Instance ███████ $750.0 18 [www.zomato.com] Blind XSS on one of the Admin Dashboard $750.0 19 [Zomato Order] Insecure deeplink leads to sensitive information disclosure $750.0 20 IDOR to delete images from other stores $600.0 21 [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information $550.0 22 [█████████] Hardcoded credentials in Android App $500.0 23 [www.zomato.com] Blind XSS in one of the admin dashboard $500.0 24 Blind XSS - Report review - Admin panel $350.0 25 Subdomain takeover of fr1.vpn.zomans.com $350.0 26 [www.zomato.com] Privilege Escalation - Control reviews - /████dashboard_handler.php $300.0 27 Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService $300.0 28 Self-Stored XSS - Chained with login/logout CSRF $300.0 29 Attacker shall recieve order updates on whatsapp for users who have activated whatsapp notification $300.0 30 IDOR to cancel any table booking and leak sensitive information such as email,mobile number,uuid $250.0 31 [www.zomato.com] Privilege Escalation - /php/restaurant_menus_handler.php $200.0 32 Page has a link to google drive which has logos and a few customer phone recordings $200.0 33 [api.zomato.com] Abusing LocalParams (city_id) to Inject SOLR query $150.0 34 HTML Injection @ /[restaurant]/order endpoint. $150.0 35 HTML injection leads to reflected XSS $150.0 36 Length extension attack leading to HTML injection $100.0 37 Zomato.com Reflected Cross Site Scripting $100.0 38 [Zomato's Blog] POST based XSS on https://www.zomato.com/blog/wp-admin/admin-ajax.php?td_theme_name=Newspaper&v=8.2 $100.0 39 [www.zomato.com] IDOR - Gold Subscription Details, Able to view "Membership ID" and "Validity Details" of other Users $100.0 40 Reflected XSS on developers.zomato.com $100.0 41 [www.zomato.com] Abusing LocalParams (city) to Inject SOLR query $100.0 42 Posting to Twitter CSRF on php/post_twitter_authenticate.php $50.0 43 CSRF in the "Add restaurant picture" function $50.0 44 Use any User to Follow you (Increase Followers) [IDOR] $50.0 45 XSS on zomato.com $0.0 46 CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER $0.0 47 Twitter Disconnect CSRF $0.0 48 test.zba.se is vulnerable to SSL POODLE $0.0 49 takeover a lot of accounts $0.0 50 Unauthorised Access to Anyone's User Account $0.0 51 Visibility Robots.txt file $0.0 52 Unvalidated redirect on user profile website $0.0 53 Clickjacking login page of http://book.zomato.com/ $0.0 54 CSS $0.0 55 Amazon S3 bucket misconfiguration (share) $0.0 56 MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) $0.0 57 XSS in flashmediaelement.swf (business-blog.zomato.com) $0.0 58 Reflected XSS on business-blog.zomato.com - Part I $0.0 59 Reflected XSS on business-blog.zomato.com - Part 2 $0.0 60 Reflected XSS in Zomato Mobile - category parameter $0.0 61 xss found in zomato $0.0 62 CSRF To Like/Unlike Photos $0.0 63 CORS Misconfiguration on www.zomato.com $0.0 64 NexTable: Credentials exposure $0.0 65 Base alpha version code exposure $0.0 66 SQL Injection, exploitable in boolean mode $0.0 67 Bypass OTP verification when placing Order $0.0 68 Restaurant payment information leakage $0.0 69 Unauthorized update of merchants' information via /php/merchant_details.php $0.0 70 Potential server misconfiguration leads to disclosure of vendor/ directory $0.0 71 [www.zomato.com] IDOR - Leaking all Personal Details of all Zomato Users through an endpoint $0.0 72 [www.zomato.com] Unauthenticated access to Internal Sales Data of Zomato through an unrestricted endpoint $0.0 73 [www.zomato.com/dubai/gold] CRITICAL - Allowing arbitrary amount to become a GOLD Member $0.0 74 [www.zomato.com] IDOR - Delete/Deactivate any special menu of any Restaurants from Zomato $0.0 75 User Profiles Leak PII in HTML Document for Mobile Browser User Agents $0.0 76 Admin Access to a domain used for development and admin access to internal dashboards on that domain $0.0 77 [www.zomato.com] IDOR - Delete/Deactivate ANY/ALL Promos through a Post Request at clients/promoDataHandler.php $0.0 78 SSRF in https://www.zomato.com████ allows reading local files and website source code $0.0 79 Outdated MediaElement.js Reflected Cross-Site Scripting (XSS) $0.0 80 Reflected XSS on https://www.zomato.com $0.0 81 URL is vulnerable to clickjacking $0.0 82 Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE) $0.0 83 IDOR in treat subscriptions $0.0 84 [www.zomato.com] Getting a complimentary dessert [Zomato Treats] on ordering a Meal at no cost $0.0 85 [www.zomato.com] Abusing LocalParams to Inject Code through ███████ query $0.0 86 XSS in "explore-keywords-dropdown" results. $0.0 87 [Zomato Android/iOS] Theft of user session $0.0 88 [www.zomato.com] Tampering with Order Quantity and paying less amount then actual amount, leads to business loss $0.0 89 [www.zomato.com] Blind XSS in one of the Admin Dashboard $0.0 90 [auth2.zomato.com] Reflected XSS at oauth2/fallbacks/error | ORY Hydra an OAuth 2.0 and OpenID Connect Provider $0.0 91 Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day $0.0 92 Open Redirect On Your Login Panel $0.0 93 credentials leakage in public lead to view dev websites $0.0 94 [www.zomato.com] Availing Zomato Gold membership for free by tampering plan id(s) $0.0 95 Sending Unlimited Emails to anyone from zomato mail server. $0.0 96 Bypassing the SMS sending limit for download app link. $0.0 97 [api.zomato.com] Able to manipulate order amount $0.0 98 Open AWS S3 bucket leaks all Images uploaded to Zomato chat $0.0 99 Able to manipulate order amount by removing cancellation amount and cause financial impact $0.0 100 Zomato Map server going out of memory while resizing map image $0.0 101 Free food bug done by burp suite $0.0 102 Mathematical error found in meals for one $0.0 103 Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com $0.0 104 The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. $0.0 105 Ability to manipulate price with a max threshold of <1 Rupee in support rider parameter $0.0 106 Lack of Password Confirmation for Account Deletion $0.0 107 [www.zomato.com] Leaking Email Addresses of merchants via reset password feature $0.0 108 [Zomato for Business Android] Vulnerability in exported activity WebView $0.0 109 subdomain takeover on fddkim.zomato.com $0.0 110 Race condition in User comments Likes $0.0