> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/features-abuse.md).

# Features Abuse Checklist

## Top Business Logic reports from HackerOne:

1. [Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests](https://hackerone.com/reports/689314) to GitLab - 438 upvotes, $12000
2. [Account takeover through the combination of cookie manipulation and XSS](https://hackerone.com/reports/534450) to Grammarly - 253 upvotes, $2000
3. [Ethereum account balance manipulation](https://hackerone.com/reports/300748) to Coinbase - 251 upvotes, $10000
4. [SSRF leaking internal google cloud data through upload function \[SSH Keys, etc..\]](https://hackerone.com/reports/549882) to Vimeo - 248 upvotes, $5000
5. [Account Takeover via Email ID Change and Forgot Password Functionality](https://hackerone.com/reports/1089467) to New Relic - 210 upvotes, $2048
6. [Abusing "Report as abuse" functionality to delete any user's post.](https://hackerone.com/reports/411075) to Vanilla - 159 upvotes, $300
7. [OLO Total price manipulation using negative quantities](https://hackerone.com/reports/364843) to Upserve - 144 upvotes, $3500
8. [Unserialize leading to arbitrary PHP function invoke](https://hackerone.com/reports/210741) to Rockstar Games - 113 upvotes, $5000
9. [HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function](https://hackerone.com/reports/1478633) to Cloudflare Public Bug Bounty - 105 upvotes, $6000
10. [Null pointer dereference in SMTP server function smtp\_string\_parse](https://hackerone.com/reports/827729) to Open-Xchange - 105 upvotes, $1500
11. [XXE in Site Audit function exposing file and directory contents](https://hackerone.com/reports/312543) to Semrush - 99 upvotes, $2000
12. [Claiming the listing of a non-delivery restaurant through OTP manipulation](https://hackerone.com/reports/1330529) to Zomato - 85 upvotes, $3250
13. [Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)](https://hackerone.com/reports/637194) to Shopify - 73 upvotes, $500
14. [Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE](https://hackerone.com/reports/520717) to Lob - 68 upvotes, $1500
15. [Parameter Manipulation allowed for viewing of other user’s teavana.com orders](https://hackerone.com/reports/141090) to Starbucks - 66 upvotes, $6000
16. [Authorization Token on PlayStation Network Leaks via postMessage function](https://hackerone.com/reports/826394) to PlayStation - 64 upvotes, $1000
17. [Manipulating response leads to free access to Streamlabs Prime](https://hackerone.com/reports/1070510) to Logitech - 60 upvotes, $200
18. [\[api.tumblr.com\] Denial of Service by cookies manipulation](https://hackerone.com/reports/1005421) to Automattic - 51 upvotes, $200
19. [SSRF in VCARD photo upload functionality](https://hackerone.com/reports/296045) to Open-Xchange - 49 upvotes, $850
20. [Captcha bypass for the most important function - At en.instagram-brand.com](https://hackerone.com/reports/206653) to Automattic - 48 upvotes, $150
21. [\[intensedebate.com\] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled](https://hackerone.com/reports/1051734) to Automattic - 43 upvotes, $200
22. [SSRF in the application's image export functionality](https://hackerone.com/reports/816848) to Visma Public - 42 upvotes, $250
23. [Able to steal private files by manipulating response using Compose Email function of Lark](https://hackerone.com/reports/1373784) to Lark Technologies - 41 upvotes, $2000
24. [Unrestricted access to quiesce functionality in dss.api.playstation.com REST API leads to unavailability of application](https://hackerone.com/reports/993722) to PlayStation - 39 upvotes, $1000
25. [Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions.](https://hackerone.com/reports/141120) to Starbucks - 33 upvotes, $4000
26. [Logic flaw in the Post creation process allows creating posts with arbitrary types without needing the corresponding nonce](https://hackerone.com/reports/404323) to WordPress - 33 upvotes, $900
27. [SSRF in Functional Administrative Support Tool pdf generator (████) \[HtUS\]](https://hackerone.com/reports/1628209) to U.S. Dept Of Defense - 32 upvotes, $4000
28. [Able to steal private files by manipulating response using Auto Reply function of Lark](https://hackerone.com/reports/1387320) to Lark Technologies - 31 upvotes, $2000
29. [Business Logic Flaw in the subscription of the app](https://hackerone.com/reports/1505189) to Kraden - 31 upvotes, $250
30. [Price manipulation via fraction values (Parameter Tampering)](https://hackerone.com/reports/388564) to Shipt - 31 upvotes, $100
31. [Privilege escalation allows to use iframe functionality w/o upgrade](https://hackerone.com/reports/594080) to Infogram - 31 upvotes, $0
32. [Week Passwords generated by password reset function](https://hackerone.com/reports/765031) to MTN Group - 30 upvotes, $0
33. [Self-XSS in password reset functionality](https://hackerone.com/reports/286667) to Shopify - 29 upvotes, $500
34. [Parameter tampering can result in product price manipulation](https://hackerone.com/reports/218748) to Adobe - 28 upvotes, $0
35. [Manipulation of exam results at Semrush.Academy](https://hackerone.com/reports/662583) to Semrush - 27 upvotes, $600
36. [RCE via Print function \[Simplenote 1.1.3 - Desktop app\]](https://hackerone.com/reports/358049) to Automattic - 26 upvotes, $250
37. [GoldSrc: Buffer Overflow in DELTA\_ParseDelta function leads to RCE](https://hackerone.com/reports/484745) to Valve - 25 upvotes, $3000
38. [Add more seats by paying less via PUT /v2/seats request manipulation](https://hackerone.com/reports/1446090) to Krisp - 23 upvotes, $500
39. [Business Logic Flaw - A non premium user can change/update retailers to get cashback on all the retailers associated with Curve](https://hackerone.com/reports/672487) to Curve - 19 upvotes, $1000
40. [Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report](https://hackerone.com/reports/442843) to HackerOne - 19 upvotes, $500
41. [IDOR in report download functionality on ads.tiktok.com](https://hackerone.com/reports/1559739) to TikTok - 16 upvotes, $500
42. [Multiple File Manipulation bugs in WP Super Cache](https://hackerone.com/reports/240886) to Automattic - 15 upvotes, $150
43. [Response Manipulation leads to Admin Panel Login Bypass at](https://hackerone.com/reports/1508661) [https://██████/](https://xn--4zhaaaaa/) to Sony - 15 upvotes, $0
44. [XSS in main search, use class tag to imitate Reverb.com core functionality, create false login window](https://hackerone.com/reports/351376) to [Reverb.com](http://reverb.com/) - 14 upvotes, $150
45. [Spoof Email with Hyperlink Injection via Invites functionality](https://hackerone.com/reports/182008) to Pushwoosh - 14 upvotes, $0
46. [Remote Code Execution through Extension Bypass on Log Functionality](https://hackerone.com/reports/841947) to Concrete CMS - 14 upvotes, $0
47. [Privilege escalation in the client impersonation functionality](https://hackerone.com/reports/221454) to Ubiquiti Inc. - 12 upvotes, $1500
48. [CSV-injection in export functionality](https://hackerone.com/reports/335447) to Passit - 12 upvotes, $0
49. [Unauthenticated reflected XSS in preview\_as\_user function](https://hackerone.com/reports/643442) to Concrete CMS - 12 upvotes, $0
50. [Stored self XSS at auto.mail.ru using add\_review functionality](https://hackerone.com/reports/914286) to [Mail.ru](http://mail.ru/) - 11 upvotes, $0
51. [\[CVE-2020-27194\] Linux kernel: eBPF verifier bug in](https://hackerone.com/reports/1010340) [`or`](https://hackerone.com/reports/1010340) [binary operation tracking function leads to LPE](https://hackerone.com/reports/1010340) to Internet Bug Bounty - 10 upvotes, $750
52. [Logic issue in email change process](https://hackerone.com/reports/265931) to Legal Robot - 10 upvotes, $70
53. [\[kb.informatica.com\] DOM based XSS in the bindBreadCrumb function](https://hackerone.com/reports/189834) to Informatica - 10 upvotes, $0
54. [Time-of-check to time-of-use vulnerability in the std::fs::remove\_dir\_all() function of the Rust standard library](https://hackerone.com/reports/1520931) to Internet Bug Bounty - 9 upvotes, $4000
55. [No Rate limit on Password Reset Function](https://hackerone.com/reports/280389) to Infogram - 9 upvotes, $0
56. [Business Logic, currency arbitrage - Possibility to pay less than the price in USD](https://hackerone.com/reports/1677155) to PortSwigger Web Security - 9 upvotes, $0
57. [Improperly implemented password recovery link functionality](https://hackerone.com/reports/809) to Phabricator - 8 upvotes, $300
58. [Allow authenticated users can edit, trash,and add new in BuddyPress Emails function](https://hackerone.com/reports/833782) to WordPress - 8 upvotes, $225
59. [Logic issue in email change process](https://hackerone.com/reports/266017) to Legal Robot - 8 upvotes, $60
60. [CSRF in the "Add restaurant picture" function](https://hackerone.com/reports/169699) to Zomato - 8 upvotes, $50
61. [Change password logic inversion](https://hackerone.com/reports/255679) to Legal Robot - 8 upvotes, $20
62. [Impersonation of Wakatime user using Invitation functionality.](https://hackerone.com/reports/257119) to WakaTime - 8 upvotes, $0
63. [Server Side Request Forgery In Video to GIF Functionality](https://hackerone.com/reports/91816) to Imgur - 7 upvotes, $1600
64. [memory corruption in wordwrap function](https://hackerone.com/reports/167910) to Internet Bug Bounty - 7 upvotes, $500
65. [Logic flaw enables restricted account to access account license key](https://hackerone.com/reports/200576) to New Relic - 7 upvotes, $500
66. [unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php](https://hackerone.com/reports/185907) to Ian Dunn - 7 upvotes, $25
67. [Reputation Manipulation (Theoretical)](https://hackerone.com/reports/132057) to HackerOne - 7 upvotes, $0
68. [Business logic Failure - Browser cache management and logout vulnerability in Certly](https://hackerone.com/reports/158270) to Certly - 7 upvotes, $0
69. [Firefly's verify\_access\_token() function does a byte-by-byte comparison of HMAC values.](https://hackerone.com/reports/240958) to Yelp - 7 upvotes, $0
70. [Missing Password Confirmation at a Critical Function (Payout Method)](https://hackerone.com/reports/303299) to HackerOne - 7 upvotes, $0
71. [Remote Code Execution in the Import Channel function](https://hackerone.com/reports/236607) to ExpressionEngine - 7 upvotes, $0
72. [Deleted Post and Administrative Function Access in eCommerce Forum](https://hackerone.com/reports/167846) to Shopify - 6 upvotes, $500
73. [CSV export/import functionality allows administrators to modify member and message content of a workspace](https://hackerone.com/reports/1661310) to Slack - 6 upvotes, $250
74. [Application XSS filter function Bypass may allow Multiple stored XSS](https://hackerone.com/reports/44217) to Vimeo - 6 upvotes, $100
75. [Non-functional 2FA recovery codes](https://hackerone.com/reports/249337) to Legal Robot - 6 upvotes, $60
76. [Incorrect Functionality of Password reset links](https://hackerone.com/reports/280529) to Infogram - 6 upvotes, $0
77. [Business Logic Flaw allowing Privilege Escalation](https://hackerone.com/reports/280914) to Inflection - 6 upvotes, $0
78. [Parameter tampering : Price Manipulation of Products](https://hackerone.com/reports/682344) to WordPress - 6 upvotes, $0
79. [Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input](https://hackerone.com/reports/670779) to Node.js third-party modules - 6 upvotes, $0
80. [Owner can change themself for another Role Mode but application doesnot have this function.](https://hackerone.com/reports/1072635) to Doppler - 6 upvotes, $0
81. [ihsinme: CPP Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type](https://hackerone.com/reports/1241578) to GitHub Security Lab - 5 upvotes, $1800
82. [Logic Issue with Reputation: Boost Reputation Points](https://hackerone.com/reports/36211) to HackerOne - 5 upvotes, $500
83. [The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack](https://hackerone.com/reports/129002) to LocalTapiola - 5 upvotes, $300
84. [Deleted name still present via mouseover functionality for user accounts](https://hackerone.com/reports/127914) to HackerOne - 5 upvotes, $0
85. [Issue with password reset functionality \[Minor\]](https://hackerone.com/reports/149027) to Paragon Initiative Enterprises - 5 upvotes, $0
86. [Weak e-mail change functionality could lead to account takeover](https://hackerone.com/reports/223461) to Weblate - 5 upvotes, $0
87. [Amount Manipulation Buy Unlimited Credits in just $1.00](https://hackerone.com/reports/277377) to Inflection - 5 upvotes, $0
88. [Locked\_Transfer functional burning](https://hackerone.com/reports/417515) to Monero - 5 upvotes, $0
89. [Rate limit function bypass can leads to occur huge critical problem into website.](https://hackerone.com/reports/1067533) to Courier - 5 upvotes, $0
90. [HTTP Host injection in redirect\_to function](https://hackerone.com/reports/888176) to Ruby on Rails - 5 upvotes, $0
91. [2 Cache Poisoning Attack Methods Affect Core Functionality www.exodus.com](https://hackerone.com/reports/1581454) to Exodus - 5 upvotes, $0
92. [Manipulation of submit payment request allows me to obtain Infrastructure Pro/Other Services for free or at greatly reduced price](https://hackerone.com/reports/219356) to New Relic - 4 upvotes, $600
93. [Invalid parameter in memcpy function trough openssl\_pbkdf2](https://hackerone.com/reports/190933) to Internet Bug Bounty - 4 upvotes, $500
94. [Business logic Failure - Browser cache management and logout vulnerability.](https://hackerone.com/reports/7909) to Localize - 4 upvotes, $0
95. [Spamming any user from Reset Password Function](https://hackerone.com/reports/223525) to Weblate - 4 upvotes, $0
96. [New team invitation functionality allows extend team without upgrade](https://hackerone.com/reports/295900) to Infogram - 4 upvotes, $0


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec88.0x88.online/web-appsec/features-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.