|
| 1 | +[Back to Contents](README.md) |
| 2 | + |
| 3 | + |
| 4 | +### HackerOne publicly disclosed bugs Stats |
| 5 | + |
| 6 | +At the time of writing, the HackerOne platform had 1731 publicly disclosed bugs in companies such as Twitter, Uber, Dropbox, Github etc. |
| 7 | +8 of the bugs were removed as outright spam. 9 others were related to bugs in the Internet or a specific programming language. Out of the remaining 1714, we were able to classify 1359 issues using some code and manual work. |
| 8 | + |
| 9 | + |
| 10 | + |
| 11 | + |
| 12 | +#### Issues by type of mistake |
| 13 | + |
| 14 | + |
| 15 | +| Classification | Count | Percentage | |
| 16 | +| --- | --- | --- | |
| 17 | +| User Input Sanitization | 481 | 27.8 |
| 18 | +| Other code issues | 549 | 31.7 |
| 19 | +| Configuration issues | 325 | 18.8 |
| 20 | +| Unclassified+Info+Junk | 376 | 21.7 |
| 21 | + |
| 22 | + |
| 23 | +#### Issues sorted by their frequency of occurence |
| 24 | + |
| 25 | +1 out of 3 issues were related to XSS, Insecure references to data (data leak) or missing CSRF token. The [HackerOne page](https://hackerone.com/hacktivity/new) listing these issues is quite interesting and can be read. |
| 26 | + |
| 27 | +Type|Count|Percentage |
| 28 | +| --- | --- | --- | |
| 29 | +XSS|375|21.87 |
| 30 | +Insecure reference + Data Leak|104|6.06 |
| 31 | +CSRF Token|99|5.77 |
| 32 | +Open Redirects|59|3.44 |
| 33 | +Information/Source Code Disclosure|57|3.32 |
| 34 | +DNS misconfiguration + Apache/Nginx + Subdomain Takeover + Open AWS_S3|44|2.56 |
| 35 | +Improper Session management/Fixation|39|2.27 |
| 36 | +TLS/SSL/POODLE/Heartbleed|39|2.27 |
| 37 | +HTML/JS/XXE/Content Injections|37|2.15 |
| 38 | +HTTP Header Issues|34|1.98 |
| 39 | +NULL POINTER + SEGFAULT + Using memory after free()|33|1.92 |
| 40 | +DMARC/DKIM/SPF settings for Mail|31|1.8 |
| 41 | +SQL Injection|28|1.63 |
| 42 | +Clickjacking|27|1.57 |
| 43 | +Improper Cookies (secure/httpOnly/exposed)|25|1.45 |
| 44 | +Path disclosure|25|1.45 |
| 45 | +Broken/Open Authentication|24|1.4 |
| 46 | +Brute Force attacks|24|1.4 |
| 47 | +Content Spoofing|20|1.16 |
| 48 | +Buffer overflow|20|1.16 |
| 49 | +Denial Of Service|19|1.1 |
| 50 | +Server Side Request Forgery|18|1.05 |
| 51 | +Adobe Flash vulnerabilities|18|1.05 |
| 52 | +User/Info Enumeration|17|0.99 |
| 53 | +Remote Code Execution|15|0.87 |
| 54 | +Password reset token expiration/attempts/others|13|0.75 |
| 55 | +Integer overflow|11|0.64 |
| 56 | +Version Disclosure|11|0.64 |
| 57 | +CSV Injection|10|0.58 |
| 58 | +Privilege Escalation|9|0.52 |
| 59 | +OAuth state/leaks and other issues|9|0.52 |
| 60 | +Password Policy|7|0.4 |
| 61 | +CRLF|7|0.4 |
| 62 | +PythonLang|6|0.35 |
| 63 | +Homograph attack|6|0.35 |
| 64 | +File upload type/size/location sanitize|6|0.35 |
| 65 | +Captcha bypass|5|0.29 |
| 66 | +Remote/Local File inclusion|4|0.23 |
| 67 | +Directory listing|4|0.23 |
| 68 | +Path traversal|4|0.23 |
| 69 | +Remote File Upload|4|0.23 |
| 70 | +Autocomplete enabled|4|0.23 |
| 71 | +Leak through referer|3|0.17 |
| 72 | +Pixel Flood Attack|3|0.17 |
| 73 | +Control Chars in Input|2|0.11 |
| 74 | + |
| 75 | + |
| 76 | +### Some unique vulnerability types |
| 77 | + |
| 78 | +1. Race conditions based vulnerabilities |
| 79 | +2. Pixel Flood Attack |
| 80 | +3. IDN Homograph Attack |
| 81 | +4. Control Characters in Input leading to interesting outcomes |
0 commit comments