So this is my first write up, This write up is about how I was able to get into other users account, by stealing their cookies. It was a private program on bugcrowd, let’s just say the program was named Redact.
So after reading that file source code, I got my eyes on a function which was requesting logged in user cookies from the server and was sending that cookie to a subdomain https://reg.redact.com.cn to get user Id and email, the complete URL was like this https://reg.redact.com.cn/auth/setcookie?cookie=usercookie&domain=redact.com.cn
So now I downloaded that file and modified the source code to log the user cookie in console instead of sending it to https://reg.redact.com.cn and uploaded that modified file on my server and I was hoping that it should log the cookies in the console.
and it worked the whole URL with cookie was logged in my server console, now it was time to test that am I able to log in my account using that cookie.
So when I opened this URL in the incognito window I got a response like this sum=sum+1, so to confirm if I was able to login in the account I opened up https://redact.com.cn and yes I was logged in my account.
So now in order to log into other users account I just have to send them this URL of the modified js file on my server, and their cookies will be stored on my server.
It was a weird bug and it was hard to explain to the Program that how it was exploited, but the wait was worth it.
Thank You for Reading.