How I managed to take over any account visits my profile with Stored XSS
Hello everybody, today we have a simple Stored XSS vulnerability that leads to stealing cookies and Taking over the account. Let’s start
The target is only one single domain and its API subdomain let’s call them
api.target.com , so simply when I do a pen-test for any target I test every input field manually and check the response and reflection to check the possibility of any XSS. The site has a lot of input functions I tested all of them and after checking all input fields I got nothing except one Input, its reflection was weird.
In your profile, you have the ability to write decorated text to make your profile looks nice to other users.
So the input field enables you to type bold, italic, and other stuff of text editing like MS Word, but when I entered any text between
`TEXT` the reflection goes into
I tried a basic XSS payload and I found the same reflection
So Let’s go and fire our BurpSuit to see what happens when this request were sent
When I intercepted the request I found that my HTML tags have been encoded, so
> then the request will be sent to the backend server.
So I replaced all the encoded chars with the original ones and forwarded the request
when I returned to the site I found the XSS alert triaged XD
So we got Stored XSS, every user got to my profile the XSS will be triaged, and the funniest part is that all the Cookies don’t have any
Secure flags, So let’s steal the cookies and pwn any user who comes into our profile
So I visited THIS, and our payload will be like this
and I have another account as a Victim account, so I logged in with it and went to the attacker profile, and I got the cookies in my Burp Collaborator
And I got the victim’s Cookies !!
So any user visits my profile, I’ll get his cookies and take over his account ;)
Finally, this issue has been reported and fixed !!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Thanks For Reading, Cheers!
For any questions or feedback, dm me on Twitter