(HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation

###Summary:### Login CSRF, Open Redirect, and Self-XSS Possible Exploitation through HackerOne SSO-SAML ###PoC### - Go to █████; Use a browser window with clear cookies. Source-code: ``` <html> <body> <iframe id="login_csrf_frame" src="████████" style="width:0;height:0;border:0;border:none;"></iframe> <script> setTimeout(function(){document.location.href = "https://hackerone.com/users/saml/sign_in?email=████&remember_me=true";}, 5000); </script> </body> </html> ``` ###Impact:### 1) Information Leak An attacker can use Logout CSRF + Login CSRF against a victim to steal all information sent by the victim to the HackerOne website while using the malicious session, including confidential bug reports. 2) Open Redirect Since the SSO-SAML l​ogin flow can be started automatically (`GET https://hackerone.com/users/saml/sign_in?email=███`) by an attacker and it redirects to external URLs, the attacker can redirect the user to anywhere. 3) Self-XSS Possible Exploitation​ Some stored Self-XSS's (internal areas accessed just by the victim, etc.) can be exploited through Login CSRF. ``` Malicious page -> HackerOne Login CSRF -> Self-XSS triggers -> Logout -> Wait user actions ``` If the user interacts with the page (sign in with his account, etc.), the attacker can exploit the Self-XSS. P.S.: An attacker can add extra dots to the SAML Email Domain in the config dialog. I didn't test all the implications, but registering a very similar domain could be a bad thing, like `hackerone..com`, `hackerone.com.`, `.hackerone.com` or even `gmail..com` because of typing mistakes (`[email protected] would redirect the victim to the attacker external login flow`).