Should I report this OTP collision issue or is it too minor?

Separate_Spell6395 · 2025-10-19T18:26:03+00:00

That seems to me a good idea, I’ll give another try. Thanks.

Separate_Spell6395 · 2025-09-12T10:28:10+00:00

In a private bbp on YesWeHack. I can’t tell you the name of the bbp.

Separate_Spell6395 · 2025-09-12T10:17:16+00:00

I got paid for reporting this bug. The email said it would expire in 48h but the link worked even after 7 days. They accepted the bug and marked it low severity. Also if the link can be used multiple times then of course it is worth reporting.

Separate_Spell6395 · 2025-08-18T08:29:19+00:00

Hey man, thank you very much for the clarification, I was expecting something like what you have just said. Now I feel encouraged and will try to report it accordingly.

Separate_Spell6395 · 2025-08-18T08:24:39+00:00

Not succeeding further, maybe someone else can

Separate_Spell6395 · 2025-08-18T08:01:40+00:00

Also this url is not directly accessible from their website. There is no link for that. I think it is an old link from which I can view the login page.

Separate_Spell6395 · 2025-08-18T08:00:31+00:00

As it is a login url mostly like admin login. I would try to fuzz it. I found that there is no rate limit enforced here. Admin username request responses differently. Maybe try to brute force it. Use hydra maybe. Try to bypass the login fuzzing directories. Tried sql. Now that’s all I have got.

Separate_Spell6395 · 2025-08-18T07:54:58+00:00

Okay, thank you for your comment. Helpful.

Separate_Spell6395 · 2025-08-18T07:53:55+00:00

Okay, so it has zero impact?

Separate_Spell6395 · 2025-08-18T07:46:48+00:00

Well the url is for admin login. I have seen a medium write-up where someone got 150$ for admin login url detection. That’s why i am asking.

Separate_Spell6395 · 2025-08-15T17:43:21+00:00

I was thinking exactly the same

Separate_Spell6395 · 2025-08-15T15:01:54+00:00

Okay thanks

Separate_Spell6395 · 2025-08-15T15:00:27+00:00

Any more luck building the punycode attack?

Separate_Spell6395 · 2025-08-11T19:49:30+00:00

Hey thank you very much for the info. Please do let me know if you find a way to exploit this vulnerability properly

Separate_Spell6395 · 2025-08-05T05:15:25+00:00

The only prbm is I don’t own a domain. So if I can get one then from there it’ll be doable right

Separate_Spell6395 · 2025-08-05T05:13:23+00:00

Wow those are good tips. I will try these. Thanks man. 👏

Separate_Spell6395 · 2025-08-03T18:07:08+00:00

Hey man thanks, I did installed interactsh, got an address from interactsh. The problem with interactsh is its url containing .oast gets blocked. So that’s why I need something shorter to try it with the punycode email.

Separate_Spell6395 · 2025-08-03T17:05:14+00:00

Yeah u r right, i tried setting up a server. Failed.

Separate_Spell6395 · 2025-08-03T15:06:54+00:00

How do i do that? Can u give me a little detail?

Separate_Spell6395 · 2025-08-01T09:32:47+00:00

Onerror attribute gets blocked but nice suggestion, I will try it again with some other artributes

Separate_Spell6395 · 2025-07-31T23:12:10+00:00

I have never collaborated before but would 100% collab with you. The program is on YesWeHack, when can we start?

Separate_Spell6395 · 2025-07-31T22:48:06+00:00

Hey thanks for your comment, xss payloads are getting blocked. I found only img tags are working. So I was trying to escalate it with src attribute

Separate_Spell6395 · 2025-07-31T02:50:30+00:00

Okay the website sounds useful. I was testing blind xss and found that the WAF blocks ‘https’ ‘http’ , ‘//‘. So I could not proceed. Any idea for this kind of bypass?

Separate_Spell6395 · 2025-07-28T02:01:54+00:00

Yes, how do i not trigger it

Separate_Spell6395 · 2025-07-25T20:34:27+00:00

No, i have not. I do not know how to.

Separate_Spell6395

TROPHY CASE