Open in app

Sign in

Write

Sign in

An interesting Reflected XSS lead to Account Takeover.

Faizan Elahi
2 min readMar 17, 2021

--

Hello, My name is Faizan and I am a web application penetration tester since 2016. I started bug hunting but never wrote about my findings ever since. This is my very first write up. If you are new I hope you learn something new with this finding so lets dive in.

Lets suppose the website is https://redacted.com. I logged into the web application and the first page had a parameter ‘1’ like,

https://redacted.com/…/pg/1

I captured the request in burp suite, sent it to repeater and changed the parameter to 123 to check whether it was reflecting or not, The parameter was reflecting in a function under java script tag, which was something like this.

if (xyz === true) {
url += ‘&pageNum=’ + 123;
xyz = false;
}
$(‘#abc’).load(url);

I tried to break out of the if statement using ;}alert(1)

It returned in the response but somehow sanitized when it was loaded. (;︵;)

Then I shared it with my cousin. He simply replaced the page number i.e 123 with alert(1), It got triggered an alert right away. (^‿^)

HOW? ¯\_(ツ)_/¯

For that to be understood we need a little bit understanding of programming rules += is used to update the left hand side with the right hand side.

The parameter was being concatenated with the URL and url variable was being updated. Then this url variable was being loaded from the last command. $(‘#abc’).load(url);

So I simply changed the payload to alert(document.cookie). Which prompted my cookies.

What are Cookies?

Cookies are basically the credentials used by the browser as an ID. So user doesn’t have to provide Password and other credentials each time a request is sent to the server.

Thankfully it had no protection against CSRF as well ( ဖ‿ဖ). which I chained with it to make a fully account takeover vulnerability.

What is CSRF?

CSRF is known as Cross Site Request Forgery is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.

█▀▀▄░░░░░░░░░░░▄▀▀█
░█░░░▀▄░▄▄▄▄▄░▄▀░░░█
░░▀▄░░░▀░░░░░▀░░░▄▀
░░░░▌░▄▄░░░▄▄░▐▀▀
░░░▐░░█▄░░░▄█░░▌▄▄▀▀▀▀█
░░░▌▄▄▀▀░▄░▀▀▄▄▐░░░░░░█
▄▀▀▐▀▀░▄▄▄▄▄░▀▀▌▄▄▄░░░█
█░░░▀▄░█░░░█░▄▀░░░░█▀▀▀
░▀▄░░▀░░▀▀▀░░▀░░░▄█▀
░░░█░░░░░░░░░░░▄▀▄░▀▄
░░░█░░░░░░░░░▄▀█░░█░░█
░░░█░░░░░░░░░░░█▄█░░▄▀
░░░█░░░░░░░░░░░████▀
░░░▀▄▄▀▀▄▄▀▀▄▄▄█▀

Apologies for bad English, Hope you learnt something from this finding :) Peace ✌.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Reflected Xss
Account Takeover
Bug Bounty
Xss Attack
Xss Vulnerability

--

--

Faizan Elahi
Faizan Elahi

Written by Faizan Elahi

158 Followers
5 Following

Security Researcher| Bug-crowd | Synack SRT member

Responses (5)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams