Chain the vulnerabilities and take your report impact on the moon csrf to html injection

Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which… | by Armaan Pathan - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which… It was weekend and time for some Research. So i started reading some public disclosures from https://hackerone.com/hacktivity. after… Armaan Pathan Follow ~4 min read · August 12, 2017 (Updated: April 8, 2022) · Free: Yes It was weekend and time for some Research. So i started reading some public disclosures from https://hackerone.com/hacktivity . after reading some good blogs i have decided to implement them. so i quickly i had selected my target. So i had noticed that legalrobot ( Legal Robot )has a quick response and it is resolving the vulnerabilities quicky. so i have selected Legal Robot as my target and started looking into the assets and its scope. after understanding the scope i had started looking into the application.and i had noticed that is not sanitizing the spacial characters from some parameters. so i started injecting some html tags and was able to inject html tags. So yeah i had found HTML injection. BUG #1. So i started finding xss over there that if i am able to execute xss or not. so it had injected the payload but i had found that web application is using CSP. and alert was not popping up. :(((((((( sad part. :( but if you are a hacker then you will never get satisfied until and unless you will exploit it so i had started digging more and i put my second use case payload. which was "/> So yes i with the help of this payload whenever the user visits the roadmap page it will automatically get log out from his-her account. and i had found this tricky. so next i had tried to redirect on my website. and executive malicious script. so i used this payload "/> and what it was resulting to open redirectBUG #2 and also executing my malicious scripts. some how i was able to perform malicious tasks. Quickly i made a PoC of it and reported. and i got quick reply from team, which was this. though the bug was triaged but the team member has mentioned that attacker has to do a little social engineering. i was like yeah but was not satisfied when i read "SOCIAL ENGINEERING" but the team member had gave me a hint by mentioning "UNKNOWN EXPLOIT". well i that was enough hint for me. again i started digging into the application. and while i was digging into the web application had noticed that the web application is using the websockets. okay now i started checking headers of every pages and i found a Origin header. which was misconfigured. #BUG 3 so i started connecting to third party web sockets to this application and i was able to connect to the application by using the third party web sockets. it was allows web socket connecting from different Origin & it should not work from different origin. i think mobile app hasn't origin. (I am still not sure about this) so some how i was able to do CSRF attack BUG #4 by using this & i had chained HTML INJECTION WHICH WAS RESULTING TO OPEN REDIRECT to CSRF ATTACK. again i quickly made a poc of this and reported it. This was a quick reply & bug has patched in a single day. (SO QUICK) got a good feedback with a sweet bounty amout. Thanks HackerOne Legal Robot . Thanks for reading guys. Comments most welcome. have a great day ahead. #security #hackerone Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).