How I managed to take over any account visits my profile with Stored XSS

Hello everybody, today we have a simple Stored XSS vulnerability that leads to stealing cookies and Taking over the account. Let’s start

Reconnaissance

The target is only one single domain and its API subdomain let’s call them target.com and api.target.com , so simply when I do a pen-test for any target I test every input field manually and check the response and reflection to check the possibility of any XSS. The site has a lot of input functions I tested all of them and after checking all input fields I got nothing except one Input, its reflection was weird.

In your profile, you have the ability to write decorated text to make your profile looks nice to other users.

So the input field enables you to type bold, italic, and other stuff of text editing like MS Word, but when I entered any text between `TEXT` the reflection goes into <code> </code>tags

I tried a basic XSS payload and I found the same reflection

So Let’s go and fire our BurpSuit to see what happens when this request were sent

When I intercepted the request I found that my HTML tags have been encoded, so < became < and > became > then the request will be sent to the backend server.

So I replaced all the encoded chars with the original ones and forwarded the request

when I returned to the site I found the XSS alert triaged XD

So we got Stored XSS, every user got to my profile the XSS will be triaged, and the funniest part is that all the Cookies don’t have any HttpOnly or Secure flags, So let’s steal the cookies and pwn any user who comes into our profile

So I visited THIS, and our payload will be like this

and I have another account as a Victim account, so I logged in with it and went to the attacker profile, and I got the cookies in my Burp Collaborator

And I got the victim’s Cookies !!

So any user visits my profile, I’ll get his cookies and take over his account ;)

Finally, this issue has been reported and fixed !!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Thanks For Reading, Cheers!

For any questions or feedback, dm me on Twitter