Skip to content

Latest commit

 

History

History
157 lines (156 loc) · 17.6 KB

TOPLEGALROBOT.md

File metadata and controls

157 lines (156 loc) · 17.6 KB
Raw

Top reports from Legal Robot program at HackerOne:

  1. Remote Code Execution (upload) to Legal Robot - 59 upvotes, $120
  2. Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io. to Legal Robot - 33 upvotes, $100
  3. Privilege Escalation to Admin-level Account to Legal Robot - 23 upvotes, $400
  4. Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy to Legal Robot - 19 upvotes, $40
  5. Intercom chat session information persists after logout to Legal Robot - 17 upvotes, $20
  6. Homograph IDNs displayed in Description to Legal Robot - 16 upvotes, $40
  7. Password complexity requirements not enforced to Legal Robot - 15 upvotes, $20
  8. AWS hosting bucket for Legal Robots set as public browse and list contents: s3://legalrobot to Legal Robot - 15 upvotes, $0
  9. Big XSS vulnerability! to Legal Robot - 14 upvotes, $0
  10. Legal Robot AWS S3 Bucket Directory Listing to Legal Robot - 14 upvotes, $0
  11. Code injection to Legal Robot - 13 upvotes, $40
  12. TabNabbing issue (due to taget=_blank) to Legal Robot - 13 upvotes, $20
  13. content spoofing to Legal Robot - 13 upvotes, $0
  14. 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $60
  15. Password complexity not evenly enforced to Legal Robot - 12 upvotes, $40
  16. 2FA manual entry uses wrong encoding to Legal Robot - 12 upvotes, $30
  17. Information Disclosure on rate limit defense mechanism to Legal Robot - 12 upvotes, $20
  18. Near-duplicate accounts allowed with ignored email mutations to Legal Robot - 12 upvotes, $20
  19. AWS S3 website can't serve security headers, may allow clickjacking to Legal Robot - 11 upvotes, $40
  20. Update any profile to Legal Robot - 10 upvotes, $100
  21. Logic issue in email change process to Legal Robot - 10 upvotes, $70
  22. Password reset access control to Legal Robot - 10 upvotes, $40
  23. Change password session fixed to Legal Robot - 10 upvotes, $0
  24. Email Length Verification to Legal Robot - 10 upvotes, $0
  25. I cant login to my account to Legal Robot - 10 upvotes, $0
  26. Failed OutLink on Terms of Service to Legal Robot - 10 upvotes, $0
  27. Venturebeat.com URL should be HTTPS to Legal Robot - 10 upvotes, $0
  28. Exposes a series of other private credentials to Legal Robot - 10 upvotes, $0
  29. Missing link to TOTP manual enroll option to Legal Robot - 9 upvotes, $90
  30. Missing restriction on string size in profile fields to Legal Robot - 9 upvotes, $40
  31. Information Disclosure in AWS S3 Bucket to Legal Robot - 9 upvotes, $20
  32. Domain takeover (legalrobot.co.za) to Legal Robot - 9 upvotes, $20
  33. Pages don't render in old browsers like IE11 to Legal Robot - 9 upvotes, $20
  34. Meta characters are not filtered into full name on profile page to Legal Robot - 9 upvotes, $20
  35. User Information leak allows user to bypass email verification. to Legal Robot - 8 upvotes, $120
  36. User Information sent to client through websockets to Legal Robot - 8 upvotes, $120
  37. Logic issue in email change process to Legal Robot - 8 upvotes, $60
  38. User enumeration to Legal Robot - 8 upvotes, $20
  39. [New Feature] Password history check to Legal Robot - 8 upvotes, $20
  40. [Cross-domain Referer leakage] Password reset token leakage via referer to Legal Robot - 8 upvotes, $20
  41. Improper validation of parameters while creating issues to Legal Robot - 8 upvotes, $20
  42. Change password logic inversion to Legal Robot - 8 upvotes, $20
  43. first name and last name restrictions bypass to Legal Robot - 8 upvotes, $20
  44. News Feed Detected to Legal Robot - 8 upvotes, $0
  45. design issue exists on login page to Legal Robot - 8 upvotes, $0
  46. External links to be in HTTP to Legal Robot - 8 upvotes, $0
  47. Legal Robot to Legal Robot - 8 upvotes, $0
  48. Clickjacking in Legalrobot app to Legal Robot - 8 upvotes, $0
  49. Missing link to 2FA recovery code to Legal Robot - 7 upvotes, $90
  50. Validation bypass on user profile to Legal Robot - 7 upvotes, $60
  51. Token leakage by referrer to Legal Robot - 7 upvotes, $60
  52. No notification on change password feature to Legal Robot - 7 upvotes, $20
  53. Profile shows incorrect account creation date to Legal Robot - 7 upvotes, $20
  54. Password reset token issue to Legal Robot - 7 upvotes, $20
  55. User enumeration from failed login error message to Legal Robot - 7 upvotes, $20
  56. UI Redressing ( ClickJacking ) Issue on Information submit form to Legal Robot - 7 upvotes, $0
  57. 2FA user enumeration via password reset to Legal Robot - 6 upvotes, $90
  58. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $60
  59. Enhancement: email confirmation for 2FA recovery to Legal Robot - 6 upvotes, $60
  60. Missing Issuer parameter on TOTP 2FA to Legal Robot - 6 upvotes, $60
  61. Missing access control at password change to Legal Robot - 6 upvotes, $40
  62. CSRF to Legal Robot - 6 upvotes, $20
  63. SSL Issue on legalrobot.com to Legal Robot - 6 upvotes, $20
  64. CORS (Cross-Origin Resource Sharing) to Legal Robot - 6 upvotes, $20
  65. Profile fields validation bypass to Legal Robot - 6 upvotes, $20
  66. 2 vulns to Legal Robot - 6 upvotes, $0
  67. Server version disclosure to Legal Robot - 6 upvotes, $0
  68. 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
  69. observer.com URL should HTTPS to Legal Robot - 6 upvotes, $0
  70. Futureoflife organization URL should be HTTPS to Legal Robot - 6 upvotes, $0
  71. No notification of change email feature to Legal Robot - 6 upvotes, $0
  72. Users with 2FA can have multiple sessions to Legal Robot - 5 upvotes, $60
  73. [UX] Notify user on likely email address typo to Legal Robot - 5 upvotes, $40
  74. - Guessing registered users in legalrobot.com to Legal Robot - 5 upvotes, $20
  75. SPF Issue to Legal Robot - 5 upvotes, $20
  76. CSP script-src includes "unsafe-inline" to Legal Robot - 5 upvotes, $20
  77. Email spoofing-fake mail from your mail domain server to Legal Robot - 5 upvotes, $0
  78. Click Jacking to Legal Robot - 5 upvotes, $0
  79. Missing homograph filter character to Legal Robot - 5 upvotes, $0
  80. Wrong password validation message to Legal Robot - 5 upvotes, $0
  81. sql injection vulnerablity found to Legal Robot - 5 upvotes, $0
  82. Improper Implementation of Password strength checker to Legal Robot - 5 upvotes, $0
  83. Registration bypass using OAuth logical bug to Legal Robot - 4 upvotes, $40
  84. Password reset form ignores email field to Legal Robot - 4 upvotes, $40
  85. Password complexity ignores empty spaces to Legal Robot - 4 upvotes, $20
  86. No length limit in invite_code can cause server degradation to Legal Robot - 4 upvotes, $20
  87. No error or notification on Reset password page to Legal Robot - 4 upvotes, $20
  88. Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/) to Legal Robot - 4 upvotes, $0
  89. SWEET32 TLS attack to Legal Robot - 4 upvotes, $0
  90. Password Reset page Session Fixation to Legal Robot - 4 upvotes, $0
  91. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  92. Autocomplete feature to Legal Robot - 4 upvotes, $0
  93. UX: JS error on Password Safety link to Legal Robot - 4 upvotes, $0
  94. app.legalrobot.com opens FireFox but not in FireFox ESR to Legal Robot - 4 upvotes, $0
  95. External links should be served in HTTPS. to Legal Robot - 4 upvotes, $0
  96. Broken links for stale domains may be leveraged for Phishing, Misinformation, Defaming to Legal Robot - 4 upvotes, $0
  97. Header Injection In app.legalrobot.com to Legal Robot - 4 upvotes, $0
  98. Cloudflare issue: Error 521 Ray ID: 2e7ea7f706ea4056 • 2016-09-25 12:59:55 UTC Web server is down to Legal Robot - 4 upvotes, $0
  99. Missing security headers, possible clickjacking to Legal Robot - 3 upvotes, $20
  100. Rate limiting on Email confirmation link to Legal Robot - 3 upvotes, $20
  101. No valid SPF record to Legal Robot - 3 upvotes, $20
  102. missing SPF for legalrobot.com to Legal Robot - 3 upvotes, $20
  103. unsecured legalrobot.co.uk assets to Legal Robot - 3 upvotes, $20
  104. Account profile shows encryption recovery box for all users to Legal Robot - 3 upvotes, $20
  105. Token leakage by referrer header & analytics to Legal Robot - 3 upvotes, $20
  106. Issues with Forgot password Error Handling to Legal Robot - 3 upvotes, $20
  107. Clickjacking: X-Frame-Options header missing to Legal Robot - 3 upvotes, $0
  108. Information disclosure to Legal Robot - 3 upvotes, $0
  109. Bypass email verification when register new account to Legal Robot - 3 upvotes, $0
  110. Unable to change profile picture to Legal Robot - 3 upvotes, $0
  111. Non-HTTPS link on blog to Legal Robot - 3 upvotes, $0
  112. Legal | Application is Missing CSP(Content Security Policy) Header to Legal Robot - 2 upvotes, $20
  113. Possible content spoofing due to missing error page to Legal Robot - 2 upvotes, $20
  114. Incorrect email content when disabling 2FA to Legal Robot - 2 upvotes, $20
  115. Lengthy manual entry of 2FA secret to Legal Robot - 2 upvotes, $20
  116. Incorrect error message to Legal Robot - 2 upvotes, $20
  117. 2FA manual entry uses wrong encoding to Legal Robot - 2 upvotes, $20
  118. Rate limiting on password reset links to Legal Robot - 2 upvotes, $0
  119. Mixed Content over HTTPS to Legal Robot - 2 upvotes, $0
  120. Coding error ! to Legal Robot - 2 upvotes, $0
  121. S3 ACL misconfiguration to Legal Robot - 2 upvotes, $0
  122. No alert in verify email address with wrong input to Legal Robot - 2 upvotes, $0
  123. Error the message with already e-mail to Legal Robot - 2 upvotes, $0
  124. Password Complexity to Legal Robot - 2 upvotes, $0
  125. Allowance of Meta/Null characters to Legal Robot - 2 upvotes, $0
  126. Add arbitrary value in reset password cookie to Legal Robot - 2 upvotes, $0
  127. Null Byte Injection in all fields of Profile to Legal Robot - 2 upvotes, $0
  128. Profile fields validation mismatch to Legal Robot - 1 upvotes, $20
  129. No DMARC Record in legalrobot-uat.com to Legal Robot - 1 upvotes, $0
  130. Email spoofing possible via Legal Robot domain to Legal Robot - 1 upvotes, $0
  131. Tampering the mail id on chatbox to Legal Robot - 1 upvotes, $0
  132. Weak Cryptography for Passwords to Legal Robot - 1 upvotes, $0
  133. The websocket traffic is not secure enough to Legal Robot - 1 upvotes, $0
  134. Registration Allows Disposable Email Addresses to Legal Robot - 1 upvotes, $0
  135. clickjacking at http://mailboxes.legalrobot-uat.com/ to Legal Robot - 1 upvotes, $0
  136. Information Discloser to Legal Robot - 1 upvotes, $0
  137. cross site web socket hijacking to Legal Robot - 1 upvotes, $0
  138. XSS on app.legalrobot.com to Legal Robot - 1 upvotes, $0
  139. Chat exposed using cookie to Legal Robot - 1 upvotes, $0
  140. Two accounts can be made with same password to Legal Robot - 1 upvotes, $0
  141. https://www.legalrobot.com/ to Legal Robot - 1 upvotes, $0
  142. SSL BREACH attack (CVE-2013-3587) to Legal Robot - 0 upvotes, $0
  143. LUCKY13 (CVE-2013-0169) effects legalrobot.com to Legal Robot - 0 upvotes, $0
  144. Subdomain misconfiguration [mail.legalrobot.com] to Legal Robot - 0 upvotes, $0
  145. Lack of input validation in e-mail & user name, job title, company name field to Legal Robot - 0 upvotes, $0
  146. Name can't be numbers or email to Legal Robot - 0 upvotes, $0
  147. Password Restriction On Change to Legal Robot - 0 upvotes, $0
  148. Create Api Key is not working to Legal Robot - 0 upvotes, $0
  149. Special characters are not filtered out on profile fields to Legal Robot - 0 upvotes, $0
  150. CSRF Issue to Legal Robot - 0 upvotes, $0
  151. Password Policy Bypass to Legal Robot - 0 upvotes, $0
  152. Invalid Email Verification to Legal Robot - 0 upvotes, $0
  153. Improper error message to Legal Robot - 0 upvotes, $0
  154. Cross Site WebSocket Hijacking to Legal Robot - 0 upvotes, $0
  155. Non-secure requests are not automatically upgraded to HTTPS to Legal Robot - 0 upvotes, $0