Skip to content

Latest commit

 

History

History
157 lines (156 loc) · 17.5 KB

TOPLEGALROBOT.md

File metadata and controls

157 lines (156 loc) · 17.5 KB
Raw

Top reports from Legal Robot program at HackerOne:

  1. Remote Code Execution (upload) to Legal Robot - 60 upvotes, $0
  2. Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io. to Legal Robot - 33 upvotes, $0
  3. Privilege Escalation to Admin-level Account to Legal Robot - 23 upvotes, $0
  4. Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy to Legal Robot - 19 upvotes, $0
  5. Intercom chat session information persists after logout to Legal Robot - 19 upvotes, $0
  6. AWS hosting bucket for Legal Robots set as public browse and list contents: s3://legalrobot to Legal Robot - 17 upvotes, $0
  7. Password complexity requirements not enforced to Legal Robot - 16 upvotes, $0
  8. Big XSS vulnerability! to Legal Robot - 16 upvotes, $0
  9. Homograph IDNs displayed in Description to Legal Robot - 16 upvotes, $0
  10. Legal Robot AWS S3 Bucket Directory Listing to Legal Robot - 14 upvotes, $0
  11. content spoofing to Legal Robot - 13 upvotes, $0
  12. Code injection to Legal Robot - 13 upvotes, $0
  13. TabNabbing issue (due to taget=_blank) to Legal Robot - 13 upvotes, $0
  14. Email Length Verification to Legal Robot - 13 upvotes, $0
  15. 2FA manual entry uses wrong encoding to Legal Robot - 13 upvotes, $0
  16. Information Disclosure on rate limit defense mechanism to Legal Robot - 12 upvotes, $0
  17. Near-duplicate accounts allowed with ignored email mutations to Legal Robot - 12 upvotes, $0
  18. 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $0
  19. Change password session fixed to Legal Robot - 12 upvotes, $0
  20. Password complexity not evenly enforced to Legal Robot - 12 upvotes, $0
  21. AWS S3 website can't serve security headers, may allow clickjacking to Legal Robot - 11 upvotes, $0
  22. Domain takeover (legalrobot.co.za) to Legal Robot - 11 upvotes, $0
  23. News Feed Detected to Legal Robot - 11 upvotes, $0
  24. design issue exists on login page to Legal Robot - 11 upvotes, $0
  25. Information Disclosure in AWS S3 Bucket to Legal Robot - 10 upvotes, $0
  26. Update any profile to Legal Robot - 10 upvotes, $0
  27. Password reset access control to Legal Robot - 10 upvotes, $0
  28. I cant login to my account to Legal Robot - 10 upvotes, $0
  29. Failed OutLink on Terms of Service to Legal Robot - 10 upvotes, $0
  30. Venturebeat.com URL should be HTTPS to Legal Robot - 10 upvotes, $0
  31. Legal Robot to Legal Robot - 10 upvotes, $0
  32. Exposes a series of other private credentials to Legal Robot - 10 upvotes, $0
  33. Logic issue in email change process to Legal Robot - 10 upvotes, $0
  34. Missing restriction on string size in profile fields to Legal Robot - 9 upvotes, $0
  35. Pages don't render in old browsers like IE11 to Legal Robot - 9 upvotes, $0
  36. Meta characters are not filtered into full name on profile page to Legal Robot - 9 upvotes, $0
  37. Missing link to TOTP manual enroll option to Legal Robot - 9 upvotes, $0
  38. first name and last name restrictions bypass to Legal Robot - 9 upvotes, $0
  39. User Information leak allows user to bypass email verification. to Legal Robot - 8 upvotes, $0
  40. User Information sent to client through websockets to Legal Robot - 8 upvotes, $0
  41. Missing link to 2FA recovery code to Legal Robot - 8 upvotes, $0
  42. User enumeration to Legal Robot - 8 upvotes, $0
  43. [New Feature] Password history check to Legal Robot - 8 upvotes, $0
  44. [Cross-domain Referer leakage] Password reset token leakage via referer to Legal Robot - 8 upvotes, $0
  45. Improper validation of parameters while creating issues to Legal Robot - 8 upvotes, $0
  46. Change password logic inversion to Legal Robot - 8 upvotes, $0
  47. Logic issue in email change process to Legal Robot - 8 upvotes, $0
  48. External links to be in HTTP to Legal Robot - 8 upvotes, $0
  49. Clickjacking in Legalrobot app to Legal Robot - 8 upvotes, $0
  50. UI Redressing ( ClickJacking ) Issue on Information submit form to Legal Robot - 7 upvotes, $0
  51. CSRF to Legal Robot - 7 upvotes, $0
  52. Validation bypass on user profile to Legal Robot - 7 upvotes, $0
  53. Token leakage by referrer to Legal Robot - 7 upvotes, $0
  54. No notification on change password feature to Legal Robot - 7 upvotes, $0
  55. Profile shows incorrect account creation date to Legal Robot - 7 upvotes, $0
  56. Password reset token issue to Legal Robot - 7 upvotes, $0
  57. User enumeration from failed login error message to Legal Robot - 7 upvotes, $0
  58. 2 vulns to Legal Robot - 6 upvotes, $0
  59. - Guessing registered users in legalrobot.com to Legal Robot - 6 upvotes, $0
  60. SSL Issue on legalrobot.com to Legal Robot - 6 upvotes, $0
  61. CORS (Cross-Origin Resource Sharing) to Legal Robot - 6 upvotes, $0
  62. Server version disclosure to Legal Robot - 6 upvotes, $0
  63. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $0
  64. Enhancement: email confirmation for 2FA recovery to Legal Robot - 6 upvotes, $0
  65. 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
  66. 2FA user enumeration via password reset to Legal Robot - 6 upvotes, $0
  67. Missing Issuer parameter on TOTP 2FA to Legal Robot - 6 upvotes, $0
  68. Profile fields validation bypass to Legal Robot - 6 upvotes, $0
  69. Missing access control at password change to Legal Robot - 6 upvotes, $0
  70. observer.com URL should HTTPS to Legal Robot - 6 upvotes, $0
  71. Futureoflife organization URL should be HTTPS to Legal Robot - 6 upvotes, $0
  72. No notification of change email feature to Legal Robot - 6 upvotes, $0
  73. Email spoofing-fake mail from your mail domain server to Legal Robot - 5 upvotes, $0
  74. Click Jacking to Legal Robot - 5 upvotes, $0
  75. Registration bypass using OAuth logical bug to Legal Robot - 5 upvotes, $0
  76. Missing security headers, possible clickjacking to Legal Robot - 5 upvotes, $0
  77. SPF Issue to Legal Robot - 5 upvotes, $0
  78. Users with 2FA can have multiple sessions to Legal Robot - 5 upvotes, $0
  79. Password Reset page Session Fixation to Legal Robot - 5 upvotes, $0
  80. CSP script-src includes "unsafe-inline" to Legal Robot - 5 upvotes, $0
  81. Missing homograph filter character to Legal Robot - 5 upvotes, $0
  82. Wrong password validation message to Legal Robot - 5 upvotes, $0
  83. [UX] Notify user on likely email address typo to Legal Robot - 5 upvotes, $0
  84. sql injection vulnerablity found to Legal Robot - 5 upvotes, $0
  85. External links should be served in HTTPS. to Legal Robot - 5 upvotes, $0
  86. Improper Implementation of Password strength checker to Legal Robot - 5 upvotes, $0
  87. Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/) to Legal Robot - 4 upvotes, $0
  88. Clickjacking: X-Frame-Options header missing to Legal Robot - 4 upvotes, $0
  89. No valid SPF record to Legal Robot - 4 upvotes, $0
  90. missing SPF for legalrobot.com to Legal Robot - 4 upvotes, $0
  91. SWEET32 TLS attack to Legal Robot - 4 upvotes, $0
  92. Password reset form ignores email field to Legal Robot - 4 upvotes, $0
  93. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  94. Password complexity ignores empty spaces to Legal Robot - 4 upvotes, $0
  95. No length limit in invite_code can cause server degradation to Legal Robot - 4 upvotes, $0
  96. Autocomplete feature to Legal Robot - 4 upvotes, $0
  97. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  98. app.legalrobot.com opens FireFox but not in FireFox ESR to Legal Robot - 4 upvotes, $0
  99. No error or notification on Reset password page to Legal Robot - 4 upvotes, $0
  100. Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming to Legal Robot - 4 upvotes, $0
  101. Header Injection In app.legalrobot.com to Legal Robot - 4 upvotes, $0
  102. Cloudflare issue: Error 521 Ray ID: 2e7ea7f706ea4056 • 2016-09-25 12:59:55 UTC Web server is down to Legal Robot - 4 upvotes, $0
  103. Rate limiting on Email confirmation link to Legal Robot - 3 upvotes, $0
  104. unsecured legalrobot.co.uk assets to Legal Robot - 3 upvotes, $0
  105. Account profile shows encryption recovery box for all users to Legal Robot - 3 upvotes, $0
  106. Token leakage by referrer header & analytics to Legal Robot - 3 upvotes, $0
  107. Information disclosure to Legal Robot - 3 upvotes, $0
  108. Bypass email verification when register new account to Legal Robot - 3 upvotes, $0
  109. Issues with Forgot password Error Handling to Legal Robot - 3 upvotes, $0
  110. Unable to change profile picture to Legal Robot - 3 upvotes, $0
  111. Non-HTTPS link on blog to Legal Robot - 3 upvotes, $0
  112. Legal | Application is Missing CSP(Content Security Policy) Header to Legal Robot - 2 upvotes, $0
  113. Possible content spoofing due to missing error page to Legal Robot - 2 upvotes, $0
  114. Rate limiting on password reset links to Legal Robot - 2 upvotes, $0
  115. Incorrect email content when disabling 2FA to Legal Robot - 2 upvotes, $0
  116. Lengthy manual entry of 2FA secret to Legal Robot - 2 upvotes, $0
  117. Mixed Content over HTTPS to Legal Robot - 2 upvotes, $0
  118. Incorrect error message to Legal Robot - 2 upvotes, $0
  119. Coding error ! to Legal Robot - 2 upvotes, $0
  120. S3 ACL misconfiguration to Legal Robot - 2 upvotes, $0
  121. No alert in verify email address with wrong input to Legal Robot - 2 upvotes, $0
  122. Error the message with already e-mail to Legal Robot - 2 upvotes, $0
  123. 2FA manual entry uses wrong encoding to Legal Robot - 2 upvotes, $0
  124. Password Complexity to Legal Robot - 2 upvotes, $0
  125. Allowance of Meta/Null characters to Legal Robot - 2 upvotes, $0
  126. Add arbitrary value in reset password cookie to Legal Robot - 2 upvotes, $0
  127. Null Byte Injection in all fields of Profile to Legal Robot - 2 upvotes, $0
  128. No DMARC Record in legalrobot-uat.com to Legal Robot - 1 upvotes, $0
  129. Email spoofing possible via Legal Robot domain to Legal Robot - 1 upvotes, $0
  130. Tampering the mail id on chatbox to Legal Robot - 1 upvotes, $0
  131. Weak Cryptography for Passwords to Legal Robot - 1 upvotes, $0
  132. The websocket traffic is not secure enough to Legal Robot - 1 upvotes, $0
  133. Registration Allows Disposable Email Addresses to Legal Robot - 1 upvotes, $0
  134. Password Policy Bypass to Legal Robot - 1 upvotes, $0
  135. clickjacking at http://mailboxes.legalrobot-uat.com/ to Legal Robot - 1 upvotes, $0
  136. Profile fields validation mismatch to Legal Robot - 1 upvotes, $0
  137. Information Discloser to Legal Robot - 1 upvotes, $0
  138. cross site web socket hijacking to Legal Robot - 1 upvotes, $0
  139. XSS on app.legalrobot.com to Legal Robot - 1 upvotes, $0
  140. Cross Site WebSocket Hijacking to Legal Robot - 1 upvotes, $0
  141. Chat exposed using cookie to Legal Robot - 1 upvotes, $0
  142. Two accounts can be made with same password to Legal Robot - 1 upvotes, $0
  143. https://www.legalrobot.com/ to Legal Robot - 1 upvotes, $0
  144. SSL BREACH attack (CVE-2013-3587) to Legal Robot - 0 upvotes, $0
  145. LUCKY13 (CVE-2013-0169) effects legalrobot.com to Legal Robot - 0 upvotes, $0
  146. Subdomain misconfiguration [mail.legalrobot.com] to Legal Robot - 0 upvotes, $0
  147. Lack of input validation in e-mail & user name, job title, company name field to Legal Robot - 0 upvotes, $0
  148. Name can't be numbers or email to Legal Robot - 0 upvotes, $0
  149. Password Restriction On Change to Legal Robot - 0 upvotes, $0
  150. Create Api Key is not working to Legal Robot - 0 upvotes, $0
  151. Special characters are not filtered out on profile fields to Legal Robot - 0 upvotes, $0
  152. CSRF Issue to Legal Robot - 0 upvotes, $0
  153. Invalid Email Verification to Legal Robot - 0 upvotes, $0
  154. Improper error message to Legal Robot - 0 upvotes, $0
  155. Non-secure requests are not automatically upgraded to HTTPS to Legal Robot - 0 upvotes, $0