Skip to content

Latest commit

 

History

History
162 lines (158 loc) · 17.6 KB

TOPLEGALROBOT.md

File metadata and controls

162 lines (158 loc) · 17.6 KB
Raw

Back

Top reports from Legal Robot program at HackerOne:

  1. Remote Code Execution (upload) to Legal Robot - 59 upvotes, $120
  2. Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io. to Legal Robot - 32 upvotes, $100
  3. Privilege Escalation to Admin-level Account to Legal Robot - 23 upvotes, $400
  4. Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy to Legal Robot - 19 upvotes, $40
  5. Homograph IDNs displayed in Description to Legal Robot - 15 upvotes, $40
  6. Password complexity requirements not enforced to Legal Robot - 15 upvotes, $20
  7. Intercom chat session information persists after logout to Legal Robot - 15 upvotes, $20
  8. Legal Robot AWS S3 Bucket Directory Listing to Legal Robot - 14 upvotes, $0
  9. Code injection to Legal Robot - 13 upvotes, $40
  10. TabNabbing issue (due to taget=_blank) to Legal Robot - 13 upvotes, $20
  11. 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $60
  12. Password complexity not evenly enforced to Legal Robot - 12 upvotes, $40
  13. 2FA manual entry uses wrong encoding to Legal Robot - 12 upvotes, $30
  14. Information Disclosure on rate limit defense mechanism to Legal Robot - 12 upvotes, $20
  15. AWS S3 website can't serve security headers, may allow clickjacking to Legal Robot - 11 upvotes, $40
  16. Near-duplicate accounts allowed with ignored email mutations to Legal Robot - 11 upvotes, $20
  17. Big XSS vulnerability! to Legal Robot - 11 upvotes, $0
  18. AWS hosting bucket for Legal Robots set as public browse and list contents: s3://legalrobot to Legal Robot - 11 upvotes, $0
  19. Update any profile to Legal Robot - 10 upvotes, $100
  20. Logic issue in email change process to Legal Robot - 10 upvotes, $70
  21. Password reset access control to Legal Robot - 10 upvotes, $40
  22. I cant login to my account to Legal Robot - 10 upvotes, $0
  23. Failed OutLink on Terms of Service to Legal Robot - 10 upvotes, $0
  24. Venturebeat.com URL should be HTTPS to Legal Robot - 10 upvotes, $0
  25. Exposes a series of other private credentials to Legal Robot - 10 upvotes, $0
  26. Missing restriction on string size in profile fields to Legal Robot - 9 upvotes, $40
  27. Pages don't render in old browsers like IE11 to Legal Robot - 9 upvotes, $20
  28. Meta characters are not filtered into full name on profile page to Legal Robot - 9 upvotes, $20
  29. User Information leak allows user to bypass email verification. to Legal Robot - 8 upvotes, $120
  30. User Information sent to client through websockets to Legal Robot - 8 upvotes, $120
  31. Missing link to TOTP manual enroll option to Legal Robot - 8 upvotes, $90
  32. Logic issue in email change process to Legal Robot - 8 upvotes, $60
  33. Information Disclosure in AWS S3 Bucket to Legal Robot - 8 upvotes, $20
  34. User enumeration to Legal Robot - 8 upvotes, $20
  35. [New Feature] Password history check to Legal Robot - 8 upvotes, $20
  36. [Cross-domain Referer leakage] Password reset token leakage via referer to Legal Robot - 8 upvotes, $20
  37. Improper validation of parameters while creating issues to Legal Robot - 8 upvotes, $20
  38. Change password logic inversion to Legal Robot - 8 upvotes, $20
  39. first name and last name restrictions bypass to Legal Robot - 8 upvotes, $20
  40. External links to be in HTTP to Legal Robot - 8 upvotes, $0
  41. Clickjacking in Legalrobot app to Legal Robot - 8 upvotes, $0
  42. Missing link to 2FA recovery code to Legal Robot - 7 upvotes, $90
  43. Validation bypass on user profile to Legal Robot - 7 upvotes, $60
  44. Token leakage by referrer to Legal Robot - 7 upvotes, $60
  45. No notification on change password feature to Legal Robot - 7 upvotes, $20
  46. Profile shows incorrect account creation date to Legal Robot - 7 upvotes, $20
  47. Password reset token issue to Legal Robot - 7 upvotes, $20
  48. User enumeration from failed login error message to Legal Robot - 7 upvotes, $20
  49. UI Redressing ( ClickJacking ) Issue on Information submit form to Legal Robot - 7 upvotes, $0
  50. content spoofing to Legal Robot - 7 upvotes, $0
  51. News Feed Detected to Legal Robot - 7 upvotes, $0
  52. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $60
  53. Enhancement: email confirmation for 2FA recovery to Legal Robot - 6 upvotes, $60
  54. Missing Issuer parameter on TOTP 2FA to Legal Robot - 6 upvotes, $60
  55. Missing access control at password change to Legal Robot - 6 upvotes, $40
  56. CSRF to Legal Robot - 6 upvotes, $20
  57. SSL Issue on legalrobot.com to Legal Robot - 6 upvotes, $20
  58. Domain takeover (legalrobot.co.za) to Legal Robot - 6 upvotes, $20
  59. Profile fields validation bypass to Legal Robot - 6 upvotes, $20
  60. 2 vulns to Legal Robot - 6 upvotes, $0
  61. Server version disclosure to Legal Robot - 6 upvotes, $0
  62. 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
  63. Change password session fixed to Legal Robot - 6 upvotes, $0
  64. Email Length Verification to Legal Robot - 6 upvotes, $0
  65. design issue exists on login page to Legal Robot - 6 upvotes, $0
  66. observer.com URL should HTTPS to Legal Robot - 6 upvotes, $0
  67. Futureoflife organization URL should be HTTPS to Legal Robot - 6 upvotes, $0
  68. Legal Robot to Legal Robot - 6 upvotes, $0
  69. No notification of change email feature to Legal Robot - 6 upvotes, $0
  70. Users with 2FA can have multiple sessions to Legal Robot - 5 upvotes, $60
  71. [UX] Notify user on likely email address typo to Legal Robot - 5 upvotes, $40
  72. SPF Issue to Legal Robot - 5 upvotes, $20
  73. CORS (Cross-Origin Resource Sharing) to Legal Robot - 5 upvotes, $20
  74. CSP script-src includes "unsafe-inline" to Legal Robot - 5 upvotes, $20
  75. Email spoofing-fake mail from your mail domain server to Legal Robot - 5 upvotes, $0
  76. Click Jacking to Legal Robot - 5 upvotes, $0
  77. Missing homograph filter character to Legal Robot - 5 upvotes, $0
  78. Improper Implementation of Password strength checker to Legal Robot - 5 upvotes, $0
  79. 2FA user enumeration via password reset to Legal Robot - 4 upvotes, $90
  80. Registration bypass using OAuth logical bug to Legal Robot - 4 upvotes, $40
  81. Password reset form ignores email field to Legal Robot - 4 upvotes, $40
  82. - Guessing registered users in legalrobot.com to Legal Robot - 4 upvotes, $20
  83. Password complexity ignores empty spaces to Legal Robot - 4 upvotes, $20
  84. No length limit in invite_code can cause server degradation to Legal Robot - 4 upvotes, $20
  85. No error or notification on Reset password page to Legal Robot - 4 upvotes, $20
  86. Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/) to Legal Robot - 4 upvotes, $0
  87. SWEET32 TLS attack to Legal Robot - 4 upvotes, $0
  88. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  89. Autocomplete feature to Legal Robot - 4 upvotes, $0
  90. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  91. app.legalrobot.com opens FireFox but not in FireFox ESR to Legal Robot - 4 upvotes, $0
  92. Wrong password validation message to Legal Robot - 4 upvotes, $0
  93. sql injection vulnerablity found to Legal Robot - 4 upvotes, $0
  94. External links should be served in HTTPS. to Legal Robot - 4 upvotes, $0
  95. Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming to Legal Robot - 4 upvotes, $0
  96. Header Injection In app.legalrobot.com to Legal Robot - 4 upvotes, $0
  97. Missing security headers, possible clickjacking to Legal Robot - 3 upvotes, $20
  98. Rate limiting on Email confirmation link to Legal Robot - 3 upvotes, $20
  99. No valid SPF record to Legal Robot - 3 upvotes, $20
  100. missing SPF for legalrobot.com to Legal Robot - 3 upvotes, $20
  101. unsecured legalrobot.co.uk assets to Legal Robot - 3 upvotes, $20
  102. Account profile shows encryption recovery box for all users to Legal Robot - 3 upvotes, $20
  103. Token leakage by referrer header & analytics to Legal Robot - 3 upvotes, $20
  104. Issues with Forgot password Error Handling to Legal Robot - 3 upvotes, $20
  105. Password Reset page Session Fixation to Legal Robot - 3 upvotes, $0
  106. Information disclosure to Legal Robot - 3 upvotes, $0
  107. Unable to change profile picture to Legal Robot - 3 upvotes, $0
  108. Non-HTTPS link on blog to Legal Robot - 3 upvotes, $0
  109. Cloudflare issue: Error 521 Ray ID: 2e7ea7f706ea4056 • 2016-09-25 12:59:55 UTC Web server is down to Legal Robot - 3 upvotes, $0
  110. Legal | Application is Missing CSP(Content Security Policy) Header to Legal Robot - 2 upvotes, $20
  111. Possible content spoofing due to missing error page to Legal Robot - 2 upvotes, $20
  112. Incorrect email content when disabling 2FA to Legal Robot - 2 upvotes, $20
  113. Lengthy manual entry of 2FA secret to Legal Robot - 2 upvotes, $20
  114. Incorrect error message to Legal Robot - 2 upvotes, $20
  115. 2FA manual entry uses wrong encoding to Legal Robot - 2 upvotes, $20
  116. Clickjacking: X-Frame-Options header missing to Legal Robot - 2 upvotes, $0
  117. Rate limiting on password reset links to Legal Robot - 2 upvotes, $0
  118. Mixed Content over HTTPS to Legal Robot - 2 upvotes, $0
  119. Coding error ! to Legal Robot - 2 upvotes, $0
  120. S3 ACL misconfiguration to Legal Robot - 2 upvotes, $0
  121. No alert in verify email address with wrong input to Legal Robot - 2 upvotes, $0
  122. Error the message with already e-mail to Legal Robot - 2 upvotes, $0
  123. Bypass email verification when register new account to Legal Robot - 2 upvotes, $0
  124. Password Complexity to Legal Robot - 2 upvotes, $0
  125. Allowance of Meta/Null characters to Legal Robot - 2 upvotes, $0
  126. Add arbitrary value in reset password cookie to Legal Robot - 2 upvotes, $0
  127. Null Byte Injection in all fields of Profile to Legal Robot - 2 upvotes, $0
  128. Profile fields validation mismatch to Legal Robot - 1 upvotes, $20
  129. No DMARC Record in legalrobot-uat.com to Legal Robot - 1 upvotes, $0
  130. Email spoofing possible via Legal Robot domain to Legal Robot - 1 upvotes, $0
  131. Tampering the mail id on chatbox to Legal Robot - 1 upvotes, $0
  132. Weak Cryptography for Passwords to Legal Robot - 1 upvotes, $0
  133. The websocket traffic is not secure enough to Legal Robot - 1 upvotes, $0
  134. Registration Allows Disposable Email Addresses to Legal Robot - 1 upvotes, $0
  135. Information Discloser to Legal Robot - 1 upvotes, $0
  136. cross site web socket hijacking to Legal Robot - 1 upvotes, $0
  137. Two accounts can be made with same password to Legal Robot - 1 upvotes, $0
  138. SSL BREACH attack (CVE-2013-3587) to Legal Robot - 0 upvotes, $0
  139. LUCKY13 (CVE-2013-0169) effects legalrobot.com to Legal Robot - 0 upvotes, $0
  140. Subdomain misconfiguration [mail.legalrobot.com] to Legal Robot - 0 upvotes, $0
  141. Lack of input validation in e-mail & user name, job title, company name field to Legal Robot - 0 upvotes, $0
  142. Name can't be numbers or email to Legal Robot - 0 upvotes, $0
  143. Password Restriction On Change to Legal Robot - 0 upvotes, $0
  144. Create Api Key is not working to Legal Robot - 0 upvotes, $0
  145. Special characters are not filtered out on profile fields to Legal Robot - 0 upvotes, $0
  146. CSRF Issue to Legal Robot - 0 upvotes, $0
  147. Password Policy Bypass to Legal Robot - 0 upvotes, $0
  148. Invalid Email Verification to Legal Robot - 0 upvotes, $0
  149. clickjacking at http://mailboxes.legalrobot-uat.com/ to Legal Robot - 0 upvotes, $0
  150. Improper error message to Legal Robot - 0 upvotes, $0
  151. XSS on app.legalrobot.com to Legal Robot - 0 upvotes, $0
  152. Cross Site WebSocket Hijacking to Legal Robot - 0 upvotes, $0
  153. Chat exposed using cookie to Legal Robot - 0 upvotes, $0
  154. Non-secure requests are not automatically upgraded to HTTPS to Legal Robot - 0 upvotes, $0
  155. https://www.legalrobot.com/ to Legal Robot - 0 upvotes, $0

Back