2 vulns

**1.** the first report is concerning AWS S3 bucket Readable for authenticated aws users , the same as this report #163476 the bucket is **sdk.amazonaws.com** , i believe it's yours because i found it in a Head request to https://app.legalrobot.com/ : F115189 listing the bucket : 115190 i don't have any proof if it's your bucket , but hoping it is... **2.** i know it's out of scope but the second report is about a misconfigured HTTPS connection on https://app.legalrobot.com/ Reproduction ========= cURL 1.Send a HEAD request to https://app.legalrobot.com/ curl -I https://app.legalrobot.com/ 2.You will see that the server does not instruct the client to upgrade the connection to HTTPS. The server responds with an HTTP/2 200 status code instead of 301 status code with the response header Location set to https://app.legalrobot.com/ : F115191 EXPLOITABILITY & IMPACT ================== Granted, it is kind of hard to exploit this vulnerability, because, first of all, it requires an attacker to be in a privileged network (he/she needs to be able to see what's going over the wire). Then the attacker would need to trick the victim into opening https://app.legalrobot.com/. in a browser that doesn't have https://app.legalrobot.com/ HSTS preloaded and which doesn't have any HSTS cookies for https://app.legalrobot.com/ from a previous secure visit to https://app.legalrobot.com/. When all these conditions are met, an attacker could for example steal the victim's https://app.legalrobot.com/ credentials, or _inject some malicious scripts into any page_. This is possible because the connection is never upgraded, and the site allows forms to be posted to non-secure endpoints MITIGATION ======== Non-secure connections need to be upgraded to HTTPS as soon as possible using a permanent redirect. But i know the website is not up yet because of a misconfiguration in the index file F115195 f115196 , but if it's connection still the same , in the future the site will allow any user to send his credentials in the clear over a non-secure connection, I was also thinking that you would probably want to prevent forms from being posted to non-secure origins. One possibility is to enforce the client to only send AJAX requests to secure origins.