About Myself

Name is Abdulrahman Al-Qabandi, Security Researcher, Browser Security Enthusiast, Web Application and Network Security, Full Stack Developer and passionate about pretty much anything to do with computers and infosec. Below is a list of worthy bugs I've found and other achievements.

Mozilla

  1. Firefox Blank addressbar spoof - 1/22/2019 - (Reference)
  2. Firefox RCE using WebExtensions 2 - 11/6/2018 - (Reference) | (Writeup) | (CVE-2018-12368)
  3. Firefox WebExtension RCE 3 - 9/5/2018 - (Reference) (Not Fixed)
  4. Firefox WebExtension RCE 4 - 9/3/2018 - (Reference) (Not Fixed)
  5. Firefox SSL lock and/or URL spoof - 8/15/2018 - (Reference) (Not Fixed)
  6. Firefox URL spoof - 8/2/2018 - (Reference)
  7. Firefox Universal XSS - 5/29/2018 - (Reference) | (Writeup)
  8. Firefox Persistent DoS - 5/9/2018 - (Reference) (Not Fixed)
  9. Firefox Stealing history data using DnD - 4/9/2018 - (Reference) | (CVE-2019-11698) | (Writeup)
  10. Firefox Tricking user to accepting popup prompt - 2/21/2018 - (Reference) | (CVE-2019-11697) | (Writeup)
  11. Firefox downloaded file extention spoofing - 2/13/2018 - (Reference) | (CVE-2018-5173)
  12. Firefox WebExtension security restriction bypass - 2/7/2018 - (Reference) | (Writeup) | (CVE-2018-5172)
  13. Firefox WebExtension EoP - 1/18/2018 - (Reference) | (CVE-2018-5135) | (Writeup)
  14. Firefox WebExtension EoP - 1/11/2018 - (Reference)
  15. Firefox elevation of privilege using view-source: - 1/10/2018 - (Reference) | (Writeup) | (CVE-2018-5134)
  16. Firefox WebExtension EoP - 12/30/2017 - (Reference) (Not Fixed)
  17. Firefox elevation of privilege using webRequestBlocking - 12/28/2017 - (Reference) | (Writeup) | (CVE-2018-5171)
  18. Firefox elevation of privilege using inspectedWindow - 12/14/2017 - (Reference) | (Writeup)
  19. Firefox elevation of privilege using WebExtension - 12/14/2017 - (Reference) | (Writeup) | (CVE-2018-5113)
  20. Firefox elevation of privilege using panels.create - 12/14/2017 - (Reference) | (Writeup) | (CVE-2018-5112)
  21. Firefox Cross origin info disclosure - 12/12/2017 - (Reference)
  22. Firefox Info disclosure - 12/8/2017 - (Reference) | (CVE-2018-5140)
  23. Firefox Crash DoS - 12/1/2017 - (Reference) | (CVE-2018-12401)
  24. Firefox XSS in about:cache internal page - 12/1/2017 - (Reference) | (Writeup)
  25. Firefox RCE by clickjacking feed preview - 11/30/2017 - (Reference) | (CVE-2018-18496) | (Writeup)
  26. Firefox Executable blacklist bypass - 8/23/2017 - (Reference) | (CVE-2019-11696)
  27. Firefox Executable handling bypass - 4/25/2017 - (Reference)
  28. Firefox SOP bypass - 4/2/2017 - (Reference) (Not Fixed)
  29. Firefox RCE using WebExtensions - 3/11/2017 - (Reference) | (Writeup) | (CVE-2017-7821)
  30. Firefox Open local files - 2/12/2017 - (Reference) | (CVE-2018-5181) | (Writeup)
  31. Firefox Local files disclosure - 2/10/2017 - (Reference) | (Writeup) (Not Fixed)
  32. Firefox addressbar spoof - 12/1/2016 - (Reference) | (CVE-2017-5415)
  33. Firefox Blank addressbar spoof - 11/28/2016 - (Reference) | (CVE-2016-1958)
  34. Firefox OS username disclosure - 11/22/2016 - (Reference) | (CVE-2017-5414)
  35. Firefox chrome code execution - 11/19/2016 - (Reference) | (Writeup)
  36. Firefox Dropping executables using image copy pasting - 11/18/2016 - (Reference)
  37. Firefox Creating executable - 11/15/2016 - (Reference) (Not Fixed)
  38. Firefox addressbar spoof using drag n drop - 11/11/2016 - (Reference)
  39. Firefox SOP bypass - 10/12/2016 - (Reference) (Not Fixed)
  40. Firefox Print preview hijacking - 9/10/2016 - (Reference) | (CVE-2017-5421) | (Writeup)
  41. Firefox local files disclosure - 8/17/2016 - (Reference) | (Writeup)
  42. Firefox UI spoof - 8/11/2016 - (Reference)
  43. Firefox Blank addressbar spoof - 7/4/2016 - (Reference) (Not Fixed)
  44. Firefox defence in depth bug - 6/20/2016 - (Reference) (CVE-2016-9070)
  45. Firefox SOP bypass and uXSS - 6/3/2016 - (Reference) | (Writeup) | (CVE-2016-5265)
  46. Firefox URL spoof - 2/12/2016 - (Reference) (Not Fixed)
  47. Firefox addressbar spoof using javascript: - 2/12/2016 - (Reference) (Not Fixed)
  48. Firefox ContentType obfuscation - 1/28/2016 - (Reference) (Not Fixed)
  49. Firefox Partial spoof uding DATA: URI - 11/3/2015 - (Reference) | (CVE-2015-7211) | (Writeup)
  50. Firefox SOP bypass using Fetch - 9/24/2015 - (Reference) | (Writeup) | (CVE-2015-7184)

Microsoft

  1. Edge (Chromium) Elevation of Privilege 2 - 9/30/2019 - (Not Fixed)
  2. Edge (Chromium) Potential RCE - 9/10/2019 - (Not Fixed)
  3. Edge (Chromium) Elevation of Privilege - 9/10/2019 - (Not Fixed)
  4. Edge Local file disclosure + EoP - 8/10/2019 - (Reference) | (CVE-2019-1356) | (Writeup)
  5. Edge Universal XSS - 5/2/2019 - (Reference) | (CVE-2019-1030) | (Writeup)
  6. Office 365 Outlook XSS using meetings - 3/9/2019 - (Reference) | (CVE-2019-1266) | (Writeup)
  7. Office 365 Outlook XSS using SVG #2 - 3/7/2019 - (Reference) | (Writeup)
  8. Edge Elevation of privilege using PDF attachments - 11/4/2018 - (Reference) | (CVE-2018-0998)
  9. Edge Elevation of privilege using WebNotes - 11/4/2018 - (Reference) | (CVE-2018-0879)
  10. Remote Assist XXE - 11/4/2018 - (Reference) | (CVE-2018-0878)
  11. Edge Read Access Violation on Block Data Move - 11/30/2017 - (Reference) | (CVE-2017-8726)
  12. Edge Read Local Files via WebKitDirecory - 10/14/2016 - (Reference) | (Writeup) | (CVE-2016-7239)
  13. Office 365 Outlook base tag injection - 1/27/2016 - (Reference) | (Writeup)
  14. Office 365 Outlook XSS using copy paste - 11/22/2015 - (Writeup)
  15. Office 365 Outlook Reflected XSS - 8/18/2015 - (Writeup)
  16. Office 365 Outlook XSS using SVG - 6/5/2015 - (Reference) | (Writeup)
  17. Office 365 Calendar XSS - 4/10/2015 - (Reference) | (Writeup)

Google

  1. Chrome WebExtension RCE 2 - 9/5/2018 - (Reference)
  2. Chrome WebExtension RCE - 6/11/2018 - (Reference)
  3. Chrome Windows MoTW bypass - 2/7/2018 - (Reference)
  4. Chrome WebExtension potential RCE 2 - 2/4/2018 - (Reference)
  5. Chrome Address Bar Spoof - 1/24/2018 - (Reference) | (Writeup) | (CVE-2016-5218)
  6. Chrome WebExtension potential RCE - 12/7/2017 - (Reference) | (Writeup) (Not Fixed)
  7. Chrome read access violation - 9/8/2016 - (Reference) | (CVE-2016-5186)
  8. Chrome Open malicious upload prompt in any website - 8/15/2016 - (Reference)
  9. Chrome Tricking user to execute code - 8/11/2016 - (Reference)
  10. Chrome Read all local files - 8/11/2016 - (Reference) | (Writeup) | (CVE-2018-6095)
  11. Chrome Crash DoS - 2/8/2016 - (Reference)

Achievements

  1. Microsoft Top 75 Security Researcher 2019 (#64) - 8/7/2019 - (Picture) | (Reference)
  2. Microsoft Top 100 Security Researcher 2018 (#90) - 8/8/2018 - (Picture) | (Reference)