Weaponizing XSS Attacking Internal System

Courtesy of BruteLogic

Few week ago I was talking to a friend of mine when he gave me a subdomain that had an admin panel and asked me weather I could find a way to get inside, Why not give it a try.

So I stared my recon by doing Directory Scanning , Checking SQL injections , Checking if there is some vulnerable libraries and finally

Shit but I was curious to know more about it and I went to GOOGLE and searched for the company and gathered more info about the company even gave a connection request to the CTO via LinkedIn (we will get to the CTO in a minute)

While looking at the company website I saw a support panel where I can submit tickets somewhere in my head I was having a voice saying its vulnerable and I should test it.

Hmm May be a Blind XSS so i went to my XSSHunter account and copied the payload and submitted the request I never had any hope of having a successful execution but the next day I logged in to my account to check if it was executed and BOOM .

I was able to grab the cookie of the user which I was able to impersonate and gain a valid session Boom inside Internal System.

I registered an new account and submitted a Responsible Disclosure

After a Day I was greeted with one of the best messages that Ive ever got

This mail was actually by the CTO of the company a really cool guy who rewarded me for my finding,