Chaining Open Redirect with XSS to Account Takeover

Chaining Open Redirect with XSS to Account Takeover

source cover :

Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private, let’s call as

The Open Redirect

I started testing target and register the account, while register, I can create my own subdomain for the organization like Then I logged in to the dashboard. Not long after, I found the url endpoint like this

URL Endpoint

Then i tried to open redirect like this and it was successfully, i was redirected to page :D. Then I tried to use this XSS payload javascript:alert(1); and opened in the browser, and yeah the XSS popped up.

Chaining the XSS to Account Takeover

After that, I didn’t immediately report the bug. I’m thinking of upgrading this XSS to a more severe impact. Shortly, I found a form that can change my email, like this

Form Change Email

But there was an CSRF-TOKEN protection. Then I remember that I had read a writeup about Chaining the XSS to severe impact. So, I make the payload for change my email and bypassed the CSRF-TOKEN protection with XSS vulnerability. The payload was like this :


So when user visited this URL in browser;,%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(;alert('email%20changed'); the alert will popped up and the email will changed.

Alert popped up

Email changed successfully

Then I reported this to the program, but sadly I got duplicate D:

I hope you are enjoyed my article, keep learning and stay safe.

Tips :

Don’t be quick to report any bugs you find, always look for more severe impacts.

Reference :

Follow me on twitter :