devl00p Top VIP Security Researcher Top Security Researcher Top Security Researcher of the Month Top VIP Security Researcher of the Month | Security Researcher Profile
Security researcher devl00p has already helped fix 92762 vulnerabilities.
Researcher reputation: 720
Real name:
Nicolas Surribas
About me:
I'm a french security researcher.
I'm also the creator of Wapiti, the open-source web vulnerability scanner.
Why I'm scanning the web for vulnerabilities and how I do it :
https://t.co/Q9KMr2Kdla
Contact email:
nicolas.surribas 4t gmail d0t com
Experience in Application Security
over 5 years
Award / Bug Bounty I prefer:
Donations to help the Wapiti project:
Paypal paypal.me/devl00p
Follow me on:
Twitter
Ethics and Rules:
Nicolas Surribas is required to abide by the ethics and rules of the Open Bug Bounty project. If you reasonably believe that rules are not respected, please report this to us.
Recommendations and Acknowledgements | Full List:
Thanks devl00p for your kind report! We found an XSS bug and been able to solve it thanks to your help. Cheers! |
Thanks to your kindness, I was able to fix the XSS vulnerability on our site very quickly. Thank you very much. |
Thanks devl00pTop-50 VIP XSS Researcher for reporting XSS vulnerabilities on our customers' websites. Keep up the good work, helps us a lot! |
The team of CERT-rlp would like to thank devl00p for a responsible and coordinated disclosure of XSS vulnerabilities |
Thanks for finding the XSS Bug, which was pretty obscure. I appreciate your responsiveness on the issue :) |
Thanks for finding the XSS Bug, which was pretty obscure. I appreciate your responsiveness on the issue :) |
Thanks for finding the XSS Bug, which was pretty obscure. I appreciate your responsiveness on the issue :) |
Thanks for finding the XSS Bug, which was pretty obscure. I appreciate your responsiveness on the issue :) |
Thanks for finding the XSS Bug, which was pretty obscure. I appreciate your responsiveness on the issue :) |
Thank you devl00p for finding that XSS vulnerability on my site and making the world better for all of us! |
The team of CERT-rlp would like to thank devl00p for a responsible and coordinated disclosure of XSS vulnerabilities |
Thanks devl00p for the identification of an XSS bug. We fixed it thanks to you ! |
Dear devl00p, the SOC of Politecnico di Milano would like to thank you for disclosing us multiple XSS vulnerabilities on our infrastructure. |
Thank you very much for finding XSS bug. You correspond to a contact from me politely each time, and I thank. I had a wonderful person find it, but I was lucky. |
Quick, informative and friendly response. Thanks! |
Many thanks for reporting the bug and providing us with all the information required to patch it. |
Thank you for your efforts and reporting the XSS vulnerability you found on my website. |
Thanks to devl00p (Nicolas) for your kind alert notification and identification of the XSS bug! Bug fixed now! Thanks for your help and support! |
Quick, friendly and helpful response, thank you very much! |
Thanks devl00p for your kind report! We found an XSS bug and been able to solve it thanks to your help. Cheers! |
Thank you for the report, we'll get it cleared up ASAP. |
Thanks for taking the time to report the weaknesses and really appreciate the wapiti tool that you've developed. |
Thanks Nicolas for reporting me an XSS on my site. Fixed it now! |
Thank you for the report and getting in touch to resolve a vulnerability in one of our sites. Hats off! |
Thanks to Nicolas for informed us about a vulnerability on one of our website and gived us informations about reproducibility very fast. |
Thank you for informing me about another XSS vulnerability. |
Thank you for your reporting XSS vulnerability. |
Nicolas made us aware of an XSS vulnerability on our site and let us know the issue really fast so we were able to fix it within a short time. Thanks a lot! |
Thank you Nicolas for your research and reporting XSS vulnerability, we have fixed the issue according to your recommendation/research. Could you please check it once. Thanks |
Special thanks to Nicolas for quickly helping us to patch a vulnerability on our site! |
Thank you for informing me about xss vulnerability. |
Nicolas was quick to let us know what the vulnerabilities were on our site. Thanks again! |
Thank you for research and reporting XSS vulnerability of my site. |
Honor Badges
Number of Secured Websites
|
|
|
|
10+ Websites
|
50+ Websites
|
500+ Websites
|
WEB SECURITY VETERAN
1000+ Websites
|
Advanced Security Research
|
|
|
|
WAF Bypasser
|
CSRF Master
30+ Reports
|
AppSec Logic Master
30+ Reports
|
Fastest Fix
Fix in 24 hours
|
Outstanding Achievements
|
|
|
|
Secured OBB
|
OBB Advocate
|
Improved OBB
|
Commitment to Remediate and Patch
|
|
|
|
Patch Master
55% Patched
|
Patch Guru
65% Patched
|
Patch Lord
75% Patched
|
Recommendations and Recognition
|
|
|
|
REPUTABLE
10+ Recommends
|
FAMOUS
25+ Recommends
|
GLOBALLY TRUSTED
50+ Recommends
|
Distinguished Blog Author
|
|
|
|
1 Post
|
3 Posts
|
5+ Posts
|
Research Statistics
Total reports: | 186366 |
Total reports on VIP sites: | 10863 |
Total patched vulnerabilities: | 92762 |
Recommendations received: | 37 |
Active since: | 09.09.2019 |
Top Security Researcher Awards: | The Top Security Researcher Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month Top Security Researcher of the Month |
Top VIP Security Researcher Awards: | The VIP Top Security Researcher Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Month Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week Top VIP Security Researcher of the Week |
Reported Vulnerabilities
All Submissions VIP SubmissionsFeatured Submissions
Domain | Reported | Status | Type |
---|
08.01.2020 Top 100 Open Redirect dorks
Just like previous list of XSS dorks but this time for Open Redirect vulnerabilities. First with most common parameters then parameters along with path.page | 19.3% |
url | 13.1% |
ret | 10.0% |
r2 | 9.8% |
img | 7.0% |
u | 4.4% |
return | 2.6% |
r | 2.6% |
URL | 2.4% |
next | 2.0% |
redirect | 2.0% |
redirectBack | 1.6% |
AuthState | 1.2% |
referer | 0.8% |
redir | 0.8% |
l | 0.8% |
aspxerrorpath | 0.6% |
image_path | 0.6% |
ActionCodeURL | 0.6% |
return_url | 0.6% |
link | 0.6% |
q | 0.6% |
location | 0.6% |
ReturnUrl | 0.6% |
uri | 0.4% |
referrer | 0.4% |
returnUrl | 0.4% |
forward | 0.4% |
file | 0.4% |
rb | 0.4% |
end_display | 0.4% |
urlact | 0.4% |
from | 0.4% |
goto | 0.4% |
path | 0.4% |
redirect_url | 0.4% |
old | 0.4% |
pathlocation | 0.2% |
successTarget | 0.2% |
returnURL | 0.2% |
urlsito | 0.2% |
newurl | 0.2% |
Url | 0.2% |
back | 0.2% |
retour | 0.2% |
odkazujuca_linka | 0.2% |
r_link | 0.2% |
cur_url | 0.2% |
H_name | 0.2% |
ref | 0.2% |
topic | 0.2% |
resource | 0.2% |
returnTo | 0.2% |
home | 0.2% |
node | 0.2% |
sUrl | 0.2% |
href | 0.2% |
linkurl | 0.2% |
returnto | 0.2% |
redirecturl | 0.2% |
SL | 0.2% |
st | 0.2% |
errorUrl | 0.2% |
media | 0.2% |
destination | 0.2% |
targeturl | 0.2% |
return_to | 0.2% |
cancel_url | 0.2% |
doc | 0.2% |
GO | 0.2% |
ReturnTo | 0.2% |
anything | 0.2% |
FileName | 0.2% |
logoutRedirectURL | 0.2% |
list | 0.2% |
startUrl | 0.2% |
service | 0.2% |
redirect_to | 0.2% |
end_url | 0.2% |
_next | 0.2% |
noSuchEntryRedirect | 0.2% |
context | 0.2% |
returnurl | 0.2% |
ref_url | 0.2% |
/?page= | 18.5 |
/index.php?ret= | 10.0 |
/analytics/hit.php?r2= | 9.8 |
/api/thumbnail?img= | 7.0 |
/e.html?u= | 3.2 |
/actions/act_continueapplication.cfm?r= | 2.4 |
/redirect2/?url= | 2.0 |
/Shibboleth.sso/Logout?return= | 1.2 |
/ui/clear-selected/?next= | 1.2 |
/Home/Redirect?url= | 1.2 |
/jobs/?l= | 0.8 |
/Error.aspx?aspxerrorpath= | 0.6 |
/r.php?u= | 0.6 |
/services/logo_handler.ashx?image_path= | 0.6 |
/AddProduct.aspx?ActionCodeURL= | 0.6 |
/tools/login/default.asp?page= | 0.6 |
/spip.php?url= | 0.6 |
/usermanagement/mailGeneratedPassword?referer= | 0.6 |
/?return= | 0.6 |
/?redir= | 0.6 |
/simplesaml/module.php/core/loginuserpass.php?AuthState= | 0.6 |
/out.php?url= | 0.6 |
/affiche.php?uri= | 0.4 |
/redirector.php?url= | 0.4 |
/cgi/set_lang?referrer= | 0.4 |
/blog/click?url= | 0.4 |
/site.php?url= | 0.4 |
/download2.php?file= | 0.4 |
/jump.php?url= | 0.4 |
/redirect/?redirect= | 0.4 |
/admin/track/track?redirect= | 0.4 |
/switch.php?rb= | 0.4 |
/php-scripts/form-handler.php?end_display= | 0.4 |
/cg/rk/?url= | 0.4 |
/tosite.php?url= | 0.4 |
/cambioidioma.php?urlact= | 0.4 |
/accueil/spip.php?url= | 0.4 |
/IRB/sd/Rooms/RoomComponents/LoginView/GetSessionAndBack?redirectBack= | 0.4 |
/search?q= | 0.4 |
/default.aspx?URL= | 0.4 |
/initiate-sso-login/?redirect_url= | 0.4 |
/module.php/core/loginuserpass.php?AuthState= | 0.4 |
/authentication/check_login?old= | 0.4 |
/RedirectToDoc.aspx?URL= | 0.4 |
/shop/bannerhit.php?url= | 0.4 |
/acceptcookies/?ReturnUrl= | 0.4 |
/index.php?url= | 0.4 |
/publang?url= | 0.2 |
/home/helperpage?url= | 0.2 |
/widgets.aspx?url= | 0.2 |
/_lang/en?next= | 0.2 |
/application/en?url= | 0.2 |
/common/topcorm.do?pathlocation= | 0.2 |
/main/action?successTarget= | 0.2 |
/Videos/SetCulture?returnURL= | 0.2 |
/Localize/ChangeLang?returnUrl= | 0.2 |
/_goToSite.asp?urlsito= | 0.2 |
/redir?url= | 0.2 |
/admin/auth/logined?redirect= | 0.2 |
/linkforward?forward= | 0.2 |
/modules/babel/redirect.php?newurl= | 0.2 |
/umbraco/Surface/LanguageSurface/ChangeLanguage?Url= | 0.2 |
/langswitcher.php?url= | 0.2 |
/redirect/?url= | 0.2 |
/i18n/i18n_user_currencies/change_currency?back= | 0.2 |
/accessibilite/textBackUp/?retour= | 0.2 |
/fncBox.php?url= | 0.2 |
/all4shop-akcie.php?odkazujuca_linka= | 0.2 |
/openurl.php?url= | 0.2 |
/te3/out.php?u= | 0.2 |
/utils/set_language.html?return_url= | 0.2 |
/trigger.php?r_link= | 0.2 |
/home/lng?cur_url= | 0.2 |
/goto?url= | 0.2 |
/o.php?url= | 0.2 |
/link-master/19/follow?link= | 0.2 |
/hack.php?H_name= | 0.2 |
/bmad/namhoc.php?return= | 0.2 |
/maven/stats.asp?ref= | 0.2 |
/Main/WebHome?topic= | 0.2 |
/bin/fusion/imsLogin?resource= | 0.2 |
/languechange.aspx?url= | 0.2 |
/bloques/bannerclick.php?url= | 0.2 |
/changesiteversion-full?referer= | 0.2 |
/out.php?link= | 0.2 |
/bgpage?r= | 0.2 |
/signout?returnTo= | 0.2 |
/switch_lang.php?return_url= | 0.2 |
/nousername.php?redir= | 0.2 |
/i/logout?return= | 0.2 |
/util_goto_detail_home.cfm?home= | 0.2 |
/misc/oldmenu.html?from= | 0.2 |
/click.php?url= | 0.2 |
/bitrix/rdc/?goto= | 0.2 |
/?node= | 0.2 |
/setLanguage.php?return= | 0.2 |
/redirect/ad?url= | 0.2 |
/redirect.php?sUrl= | 0.2 |
/redirect?url= | 0.2 |
/url?url= | 0.2 |
28.12.2019 Top 100 XSS dorks
It's the end of the year and a good time to share things with people.After having scanned more than a million websites in order to find XSS and Open Redirect vulnerabilities, I took the time to do statistics on the most vulnerables parameters.
It can be used as a powerful dork list so let's update your scanners and get bounties!
First here is the list of most vulnerable parameters along with their frequency.
Dork | Frequency |
---|---|
q | 5.5% |
s | 4.5% |
search | 1.9% |
id | 1.7% |
lang | 1.4% |
keyword | 1.2% |
query | 1.1% |
page | 1.0% |
keywords | 0.8% |
year | 0.8% |
view | 0.8% |
0.8% | |
type | 0.7% |
name | 0.7% |
p | 0.7% |
month | 0.6% |
immagine | 0.6% |
list_type | 0.5% |
url | 0.5% |
terms | 0.5% |
categoryid | 0.5% |
key | 0.5% |
l | 0.5% |
begindate | 0.4% |
enddate | 0.4% |
categoryid2 | 0.4% |
t | 0.4% |
cat | 0.4% |
category | 0.4% |
action | 0.4% |
bukva | 0.4% |
redirect_uri | 0.4% |
firstname | 0.4% |
c | 0.4% |
lastname | 0.3% |
uid | 0.3% |
startTime | 0.3% |
eventSearch | 0.3% |
categoryids2 | 0.3% |
categoryids | 0.3% |
sort | 0.3% |
positiontitle | 0.3% |
groupid | 0.3% |
m | 0.3% |
message | 0.3% |
tag | 0.3% |
pn | 0.3% |
title | 0.3% |
orgId | 0.3% |
text | 0.3% |
handler | 0.2% |
myord | 0.2% |
myshownums | 0.2% |
id_site | 0.2% |
city | 0.2% |
search_query | 0.2% |
msg | 0.2% |
sortby | 0.2% |
produkti_po_cena | 0.2% |
produkti_po_ime | 0.2% |
mode | 0.2% |
CODE | 0.2% |
location | 0.2% |
v | 0.2% |
order | 0.2% |
n | 0.2% |
term | 0.2% |
start | 0.2% |
k | 0.2% |
redirect | 0.2% |
ref | 0.2% |
file | 0.2% |
mebel_id | 0.2% |
country | 0.2% |
from | 0.1% |
r | 0.1% |
f | 0.1% |
field%5B%5D | 0.1% |
searchScope | 0.1% |
state | 0.1% |
phone | 0.1% |
Itemid | 0.1% |
lng | 0.1% |
place | 0.1% |
bedrooms | 0.1% |
expand | 0.1% |
e | 0.1% |
price | 0.1% |
d | 0.1% |
path | 0.1% |
address | 0.1% |
day | 0.1% |
display | 0.1% |
a | 0.1% |
error | 0.1% |
form | 0.1% |
language | 0.1% |
mls | 0.1% |
kw | 0.1% |
u | 0.1% |
This second list is almost the same but with corresponding path :
Dork | Frequency |
---|---|
/?s= | 3.6 |
/search?q= | 2.5 |
/index.php?lang= | 0.6 |
/pplay/info_prenotazioni.asp?immagine= | 0.6 |
/shared/lgflsearch.php?terms= | 0.5 |
/index.php?page= | 0.4 |
/search?query= | 0.4 |
/en/Telefon-Cam?search= | 0.4 |
/index.php?bukva= | 0.4 |
/pro/events_print_setup.cfm?list_type= | 0.3 |
/pro/events_print_setup.cfm?categoryid= | 0.3 |
/pro/events_print_setup.cfm?categoryid2= | 0.3 |
/?eventSearch= | 0.3 |
/?startTime= | 0.3 |
/pro/events_ical.cfm?categoryids= | 0.3 |
/pro/events_ical.cfm?categoryids2= | 0.3 |
/pro/events_print_setup.cfm?month= | 0.3 |
/pro/events_print_setup.cfm?year= | 0.3 |
/pro/events_print_setup.cfm?begindate= | 0.3 |
/pro/events_print_setup.cfm?enddate= | 0.3 |
/search?keyword= | 0.3 |
/?q= | 0.3 |
/search/?q= | 0.3 |
/index.php?pn= | 0.3 |
/?lang= | 0.3 |
/property/search?uid= | 0.3 |
/index.php?id= | 0.3 |
/search?orgId= | 0.3 |
/products?handler= | 0.2 |
/pro/events_print_setup.cfm?view= | 0.2 |
/pro/events_print_setup.cfm?keywords= | 0.2 |
/?p= | 0.2 |
/search.php?q= | 0.2 |
/?search= | 0.2 |
/pro/minicalendar_detail.cfm?list_type= | 0.2 |
/index.php?produkti_po_cena= | 0.2 |
/index.php?produkti_po_ime= | 0.2 |
/servlet/com.jsbsoft.jtf.core.SG?CODE= | 0.2 |
/login?redirect_uri= | 0.2 |
/connexion?redirect_uri= | 0.2 |
/index.php?action= | 0.2 |
/plugins/actu/listing_actus-front.php?id_site= | 0.2 |
/index.php?mebel_id= | 0.2 |
/search/?search= | 0.2 |
/news/class/index.php?myshownums= | 0.2 |
/news/class/index.php?myord= | 0.2 |
/search.html?searchScope= | 0.1 |
/search?field%5B%5D= | 0.1 |
/videos?tag= | 0.1 |
/videos?place= | 0.1 |
/videos?search= | 0.1 |
/?email= | 0.1 |
/?cat= | 0.1 |
/content.php?expand= | 0.1 |
/?page= | 0.1 |
/search/?s= | 0.1 |
/?keywords= | 0.1 |
/search/?keyword= | 0.1 |
/apps/email/index.jsp?n= | 0.1 |
/?name= | 0.1 |
/?sort= | 0.1 |
/search?search= | 0.1 |
/pro/minicalendar_print_setup.cfm?begindate= | 0.1 |
/pro/minicalendar_print_setup.cfm?enddate= | 0.1 |
/pro/minicalendar_print_setup.cfm?keywords= | 0.1 |
/search-results?q= | 0.1 |
/?listingtypeid= | 0.1 |
/search?s= | 0.1 |
/pro/minicalendar_print_setup.cfm?categoryid2= | 0.1 |
/?bathrooms= | 0.1 |
/?listingagent= | 0.1 |
/?featuredsearchseourl= | 0.1 |
/?squarefeet= | 0.1 |
/?siteid= | 0.1 |
/?bedrooms= | 0.1 |
/?featuredsearch= | 0.1 |
/?price= | 0.1 |
/?maxbuilt= | 0.1 |
/?lsid= | 0.1 |
/?listingtypes= | 0.1 |
/?garages= | 0.1 |
/?maxprice= | 0.1 |
/?minprice= | 0.1 |
/?keywordsany= | 0.1 |
/?yearbuilt= | 0.1 |
/?minbuilt= | 0.1 |
/?subdivision= | 0.1 |
/?lotsizeval= | 0.1 |
/?listingstatusid= | 0.1 |
/?mls= | 0.1 |
/firms/?text= | 0.1 |
/servlet/com.jsbsoft.jtf.core.SG?OBJET= | 0.1 |
/plan_du_site.php?lang= | 0.1 |
/index.php?Itemid= | 0.1 |
/?view= | 0.1 |
/?t= | 0.1 |
/?selat= | 0.1 |
/?selong= | 0.1 |
/?nwlat= | 0.1 |
/?geo= | 0.1 |
I hope you enjoy this :)
Please login via Twitter to add a recommendation