Hall of Fame
| Multiple Vulnerabilities | |
| User | Euforia33 |
| Reward | 250 points |
| Description | Euforia33 found multiple vulnerabilities on the site. |
| XSS Vulnerability | |
| User | rex_mundi |
| Reward | 50 points |
| Description | rex_mundi found a XSS Vulnerability in the lost password system. |
| Blind SQL Injection | |
| User | rex_mundi |
| Reward | 300 points |
| Description | rex_mundi found several Blind SQL Injections |
| BBcode Exploit & Patch | |
| User | Euforia33 |
| Reward | 250 points |
| Description | Euforia33 found and patched a hole in the [IMG] tag |
| Multiple XSS vulnerabilitys | |
| User | rex_mundi |
| Reward | 150 points |
| Description | Many XSS vulnerabilitys from the IMG tag to the PM system and the admin panel. |
| [IMG] Tag RFI vulnerability | |
| User | Euforia33 |
| Reward | 150 points |
| Description | Euforia33 was able to include any PHP using the img tag |
| XSS Vulnerability | |
| User | rex_mundi |
| Reward | 75 points |
| Description | rex_mundi found a XSS vulnerability that let him steal user's cookies. |
| XSS | |
| User | nopcron |
| Reward | 30 points |
| Description | nopcron found a Cross Site Scripting exploit in realistic 8. |
| CSRF in Profile | |
| User | rex_mundi |
| Reward | 100 points |
| Description | Rex injected csrf code into his profile which gave anyone who visited it free challenge points. |
| CSRF | |
| User | korg |
| Reward | 100 points |
| Description | korg found and patched several csrf holes in the site. |
| CSRF in Buddy List | |
| User | Infam0us |
| Reward | 35 points |
| Description | Infam0us discovered a CSRF vulnerability that allowed him to remove people from a user's buddy list. |
| Avatar Vuln | |
| User | Infam0us |
| Reward | 60 points |
| Description | Infam0us was able to bypass the image-only filter for avatars to use any type of url he wanted by tacking on ?a=a.jpg or #a=a.jpg to the end of a URL. |
| XSS with img tags | |
| User | Infam0us |
| Reward | 100 points |
| Description | Infam0us discovered that he could insert javascript into img tags by using decimal encoding. |
| CSRF in Codebank | |
| User | cyber-guard |
| Reward | 35 points |
| Description | cyber-guard was able to create codes by getting users to visit an external site. He was able to use this in combination with his </textarea> vuln to do some interesting things. |
| Vulnerability in PM System and Code Bank | |
| User | cyber-guard |
| Reward | 100 points |
| Description | cyber-guard discovered that he could use </textarea> to insert html into a PM, and this html would be executed if you clicked "preview". He was able to insert whatever html/javascript code he wanted into codes using this method upon editing them. |
| Basic 26 XSS | |
| User | ADIGA |
| Reward | 25 points |
| Description | ADIGA found an XSS vulnerability in Basic Web Hacking 26 using the onmouseover attribute. |
| CSRF in Admin Blacklist Function | |
| User | ynori7 |
| Reward | 35 points |
| Description | Ynori found a CSRF vulnerability in the blacklist function allowing any user to remove any (or all) blacklists by getting an admin with the proper prviliges to view a webpage. |
| CSRF in Articles Section | |
| User | ynori7 |
| Reward | 35 points |
| Description | Ynori found a CSRF vulnerability in the Articles section allowing any user to delete any article by getting an admin to view a page. |
| CSRF in the shoutbox | |
| User | stealth- |
| Reward | 15 points |
| Description | stealth- found a CSRF vulnerability in the shoutbox system that allowed him to make posts as other users. |
| Multiple CSRF vulnerabilities in the EM system | |
| User | stealth- |
| Reward | 45 points |
| Description | stealth- found mulitple unchecked inputs in the EM system that allowed him to use CSRF to change exclusive member's settings. |
| Exploited Timed 6 | |
| User | b4ckd0or |
| Reward | 100 points |
| Description | b4ckd0or found a CSRF vulnerability in timed6 that bypassed output filtering, allowing for JavaScript to be injected directly. This combination of CSRF and XSS would have allowed logged-in users to be directed to this page, where their session would be stolen. |
| DoS | |
| User | pimpim |
| Reward | 20 points |
| Description | pimpim was able to make HBH's server DoS itself. He reported this and is therefor rewarded with 20 points. |
| Code Bank Hack | |
| User | clone4 |
| Reward | 100 points |
| Description | clone4 was able to edit or delete code written by any user, but instead of exploiting this in a malicious manor, and reporting it, has been awarded 100 points. |
| UTF-7 XSS On Error Pages | |
| User | SySTeM |
| Reward | 50 points |
| Description | SySTeM found an XSS vulnerability using the UTF-7 charset, http://www.hellboundhackers.org/\\\+ADw-script+AD4-alert(/xss/)+ADw-/script+AD4---//--, which when run with firefox, or internet explorer with character set auto detection turned on, caused an alert to appear. |
| XSS in print.php | |
| User | SySTeM |
| Reward | 30 points |
| Description | SySTeM was able to post an article containing html, and then when a user goes to the print view of the article, the code would run. |
| CSRF Via Variable Injection | |
| User | SySTeM |
| Reward | 35 points |
| Description | SySTeM was able to use a variable injection string (http://www.hellboundhackers.org/?_POST=lol=rofl.png) inside an image tag which would log someone out. |
| XSS | |
| User | Uber0n |
| Reward | 40 points |
| Description | Uber0n found multiple XSS vulnerabilities in the site. |
| Server Security | |
| User | richohealey |
| Reward | 100 points |
| Description | richohealey found and removed several malicious files that were uploaded onto the server and could have been used to cause damage. |
| DNS Injection | |
| User | richohealey |
| Reward | 200 points |
| Description | richohealey found and fixed a DNS exploit on the server which would of enabled him to redirect the website to any location he wanted. |
| Messages XSS | |
| User | Uber0n |
| Reward | 30 points |
| Description | Uber0n found a XSS hole in the messages pages that allowed him to inject code and send it to members. |
| XSS in [mail] tag | |
| User | thk-geo |
| Reward | 15 points |
| Description | thk-geo was able to make an alert box pop up if a user clicked on a link in his sig. |
| XSS | |
| User | spyware |
| Reward | 50 points |
| Description | Spyware was able to inject XSS into the forums, which was executed for people using the following browsers: IE6, Opera, and Netscape, he has been awarded 50 points for this. |
| Blind MySQL Injection | |
| User | SySTeM |
| Reward | 100 points |
| Description | SySTeM found a blind mysql injection vulnerablity in the PM system |
| cURL Script | |
| User | SySTeM |
| Reward | 40 points |
| Description | SySTeM used a cURL script in PHP to view the admin shoutbox entries. |
| XSS in Realistic 8 | |
| User | SySTeM |
| Reward | 30 points |
| Description | SySTeM was able to include html tags in his refer. This refer was then logged in real 8 and anyone attempting the challenge would execute his code. |
| [IMG] Tag XSS vulnerability | |
| User | SySTeM |
| Reward | 75 points |
| Description | SySTeM was able to escape our filters and insert a line segment that would allow him to make an alert box on any page that allowed BB code. |
| XSS | |
| User | SySTeM |
| Reward | 100 points |
| Description | SySTeM was able to inject XSS into a function on the PM system. This could lead to stealing admin cookies. |
| XSS in members.php | |
| User | SySTeM |
| Reward | 50 points |
| Description | SySTeM was able to find xss exploits in the members.php page by using the unfiltered variables. |