Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which results OPEN REDIRECT and could steal USER CREDENTIALS)

It was weekend and time for some Research. So i started reading some public disclosures from
after reading some good blogs i have decided to implement them. so i quickly i had selected my target.

So i had noticed that legalrobot (Legal Robot)has a quick response and it is resolving the vulnerabilities quicky. so i have selected Legal Robot as my target and started looking into the assets and its scope.

after understanding the scope i had started looking into the application.and i had noticed that is not sanitizing the spacial characters from some parameters. so i started injecting some html tags and was able to inject html tags.

So yeah i had found HTML injection. BUG #1.

So i started finding xss over there that if i am able to execute xss or not.

so it had injected the payload but i had found that web application is using CSP. and alert was not popping up. :(((((((( sad part. :(

but if you are a hacker then you will never get satisfied until and unless you will exploit it

so i had started digging more and i put my second use case payload. which was

“/><META HTTP-EQUIV=”refresh” CONTENT=”1;url=">

So yes i with the help of this payload whenever the user visits the roadmap page it will automatically get log out from his-her account.

and i had found this tricky. so next i had tried to redirect on my website. and executive malicious script. so i used this payload

“/><META HTTP-EQUIV=”refresh” CONTENT=”1;url=">

and what it was resulting to open redirectBUG #2

and also executing my malicious scripts.

some how i was able to perform malicious tasks.

Quickly i made a PoC of it and reported. and i got quick reply from team, which was this.

though the bug was triaged but the team member has mentioned that attacker has to do a little social engineering. i was like yeah but was not satisfied when i read “SOCIAL ENGINEERING” but the team member had gave me a hint by mentioning “UNKNOWN EXPLOIT”. well i that was enough hint for me.

again i started digging into the application. and while i was digging into the web application had noticed that the web application is using the websockets.

okay now i started checking headers of every pages and i found a Origin header. which was misconfigured. #BUG 3

so i started connecting to third party web sockets to this application and i was able to connect to the application by using the third party web sockets.

it was allows web socket connecting from different Origin & it should not work from different origin.

i think mobile app hasn’t origin. (I am still not sure about this)

so some how i was able to do CSRF attack BUG #4 by using this & i had chained HTML INJECTION WHICH WAS RESULTING TO OPEN REDIRECT to CSRF ATTACK.

again i quickly made a poc of this and reported it.

This was a quick reply & bug has patched in a single day. (SO QUICK)

got a good feedback with a sweet bounty amout.

Thanks HackerOne Legal Robot.

Thanks for reading guys. Comments most welcome. 
have a great day ahead.