120/120 Challenge

@rohk_infosec

120 vulns in 120 days challenge on Synack Red Team

Vuln total will include Accepted, Rejected, Duplicate, Merge, and Out of scope

Start Date: October 18, 2018
End Date: February 15, 2019
Finished Date: February 12, 2019

Categories	# of Vulns
Reflected XSS	5
Persistent XSS	30
Cross-site Request Forgery	25
Improper Input Validation	4
Access/Privacy Control	25
Insecure Direct Object Reference	18
Functionality Abuse with Malicious Impact	4
Sensitive Information Disclosure	3
Client-Side Validation	1
Server-Side Request Forgery	2
Path Traversal	3

Accepted	Duplicates	Rejected	Pending
84	20	16	0

Total Vulnerabilities Submitted: 120

Week 1 (10/18/2017 - 10/24/2018): 10 Vulns Submitted

Oct 18

Accepted - Persistent XSS
Accepted - Access/Privacy Control

Oct 22

Accepted - Improper Input Validation

Oct 23

Accepted - Access/Privacy Control
Duplicate - Reflected XSS
Duplicate - Persistent XSS
Duplicate - CSRF

Oct 24

Accepted - CSRF
Accepted - CSRF
Accepted - Improper Input Validation

Week 2: (10/25/2018 - 10/31/2018): 7 Vulns Submitted

Oct 25

Accepted - Sensitive Information Disclosure

Oct 28

Duplicate - Persistent XSS
Duplicate - Functionality Abuse with Malicious Impact
Duplicate - Functionality Abuse with Malicious Impact

Oct 31

Accepted - Reflected XSS
Merged - CSRF
Accepted - CSRF

Week 3: (11/01/2018 - 11/07/2018): 2 Vulns Submitted

Hacking Break
Nov 1

Accepted - Persistent XSS

Nov 4

Accepted - Persistent XSS

Week 4: (11/08/2018 - 11/14/2018): 9 Vulns Submitted

Nov 8

Accepted - Access/Privacy Control
Accepted - Access/Privacy Control

Nov 9

Accepted - Access/Privacy Control

Nov 10

Rejected - Insecure Direct Object Reference

Nov 12

Accepted - Reflected XSS

Nov 13

Rejected - Access/Privacy Control

Nov 14

Accepted - Persistent XSS
Duplicate - Access/Privacy Control
Duplicate - Persistent XSS

Week 5: (11/15/2018 - 11/21/2018): 7 Vulns Submitted

Nov 16

Accepted - Access/Privacy Control
Rejected - CSRF
Accepted - Insecure Direct Object Reference

Nov 18

Accepted - Sensitive Information Disclosure
Accepted - Access/Privacy Control

Nov 20

Accepted - Access/Privacy Control
Accepted - CSRF

Week 6: (11/22/2018 - 11/28/2018): 4 Vulns Submitted

Hacking Break
Nov 22

Accepted - Persistent XSS
Rejected - Persistent XSS
Accepted - Persistent XSS

Nov 26

Accepted - Persistent XSS

Week 7: (11/29/2018 - 12/05/2018): 10 Vulns Submitted

Nov 29

Accepted - Reflected XSS
Duplicate - Insecure Direct Object Reference
Accepted - CSRF
Accepted - CSRF

Nov 30

Accepted - Client-Side Validation

Dec 1

Duplicate - Access/Privacy Control
Accepted - Persistent XSS

Dec 3

Accepted - Persistent XSS
Accepted - Persistent XSS
Accpeted - Persistent XSS

Week 8: (12/06/2018 - 12/12/2018): 18 Vulns Submitted

Dec 6

Accepted - Persistent XSS
Accepted - CSRF

Dec 7

Accepted - Persistent XSS
Accepted - Insecure Direct Object Reference
Accepted - Insecure Direct Object Reference
Accepted - Persistent XSS

Dec 8

Accepted - Improper Input Validation
Accepted - Access/Privacy Control
Accepted - Persistent XSS
Accepted - Persistent XSS
Accepted - Access/Privacy Control
Accepted - Access/Privacy Control
Accepted - Persistent XSS

Dec 9

Rejected - Access/Privacy Control
Accepted - Insecure Direct Object Reference

Dec 10

Accepted - Insecure Direct Object Reference

Dec 11

Accepted - Persistent XSS

Dec 12

Rejected - Access/Privacy Control

Week 9: (12/13/2018 - 12/19/2018): 3 Vulns Submitted

Hacking Break
Dec 17

Accepted - Insecure Direct Object Reference

Dec 18

Accepted - CSRF
Rejected - Access/Privacy Control

Week 10: (12/20/2018 - 12/26/2018): 11 Vulns Submitted

Dec 19

Accepted - Insecure Direct Object Reference

Dec 20

Accepted - CSRF

Dec 22

Rejected - CSRF
Accepted - Server-Side Request Forgery

Dec 23

Duplicate - CSRF
Accepted - CSRF

Dec 24

Accepted - Functionality Abuse with Malicious Impact
Accepted - CSRF

Dec 26

Rejected - CSRF
Duplicate - CSRF
Accepted - CSRF

Week 11: (12/27/2018 - 01/02/2019): 5 Vulns Submitted

Hacking Break
Dec 30

Rejected - CSRF
Rejected - CSRF

Jan 1

Duplicate - Access/Privacy Control

Jan 2

Accepted - Persistent XSS
Accepted - Persistent XSS

Week 12: (01/03/2019 - 01/09/2019): 5 Vulns Submitted

Jan 3

Rejected - CSRF
Accepted - Path Traversal
Accepted - Path Traversal
Accepted - Path Traversal

Jan 6

Accepted - Access/Privacy Control

Week 13: (01/10/2019 - 01/16/2019): 2 Vulns Submitted

Hacking Break
Jan 15

Duplicate - Insecure Direct Object Reference
Accepted - Persistent XSS

Week 14: (01/17/2019 - 01/23/2019): 5 Vulns Submitted

Hacking Break
Jan 17

Duplicate - Access/Privacy Control

Jan 18

Duplicate - Insecure Direct Object Reference

Jan 21

Accepted - CSRF

Jan 22

Duplicate - Insecure Direct Object Reference

Jan 23

Accepted - Persistent XSS

Week 15: (01/24/2019 - 01/30/2019): 7 Vulns Submitted

Jan 24

Accepted - Improper Input Validation
Accepted - Access/Privacy Control
Duplicate - Access/Privacy Control

Jan 26

Accepted - Insecure Direct Object Reference
Accepted - Access/Privacy Control

Jan 27

Duplicate - Functionality Abuse with Malicious Impact
Accepted - Insecure Direct Object Reference

Week 16: (01/31/2019 - 02/06/2019): 9 Vulns Submitted

Feb 2

Rejected - Sensitive Information Disclosure
Accepted - Persistent XSS
Duplicate - Persistent XSS

Feb 3

Rejected - Persistent XSS
Accepted - Insecure Direct Object Reference
Accepted - Insecure Direct Object Reference

Feb 5

Accepted - CSRF
Accepted - Reflected XSS
Accepted - Access/Privacy Control

Week 17: (02/07/2019 - 02/13/2019): 6 Vulns Submitted

Feb 7

Accepted - Insecure Direct Object Reference
Rejected - CSRF

Feb 11

Rejected - Access/Privacy Control

Feb 12

Accepted - Server-Side Request Forgery
Accepted - Persistent XSS
Accepted - Insecure Direct Object Reference

(FINAL) Week 18: (02/14/2019 - 02/15/2019): 0 Vulns Submitted

CHALLENGE FINISHED FEB 12TH @ 7:49PM PST