VULHUB ™

For a full list of their clients please visit: https://www.checkbox.com/clients/ 1- Directory traversal vulnerability : For example to download the web.config file we can send a request as the following: `http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config` 2- Direct Object Reference : attachments to surveys can be accessed directly without login as the following: `https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001` I created a script that can bruteforce the numbers to find ID's that will download the attachment and you can easily write one on your own ;). 3- Open redirection in login page for example: `https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com` If you can't see why an open redirection is a problem in login page please visit the following page: `https://www.asp.net/mvc/overview/security/preventing- open-redirection-attacks`

For a full list of their clients please visit: https://www.checkbox.com/clients/ 1- Directory traversal vulnerability : For example to download the web.config file we can send a request as the following: `http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config` 2- Direct Object Reference : attachments to surveys can be accessed directly without login as the following: `https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001` I created a script that can bruteforce the numbers to find ID's that will download the attachment and you can easily write one on your own ;). 3- Open redirection in login page for example: `https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com` If you can't see why an open redirection is a problem in login page please visit the following page: `https://www.asp.net/mvc/overview/security/preventing- open-redirection-attacks`