.png)
1 year ago
88 BOOK THIS SPACE FOR AD
ARTICLE ADIn this write-up, I will discuss a bug that both myself and Flag_c0 discovered in a program. Without further delay, let’s get into the details of the vulnerability.
Finding the xss
Flag_c0 found an XSS vulnerability while browsing the website. He discovered a hidden parameter that allowed them to bypass a simple filter by changing `<script>` to `<ScRiPt>`, leading to the XSS vulnerability. This vulnerability was easy to find, which is why it was marked as a duplicate.
Account Takeover
To escalate this issue, Flag_c0 found that the CSRF token was being reflected on the source code in the profile settings when visited. This meant that if we were able to obtain the CSRF token, we could use JavaScript to change the email and profile settings.
However, we encountered difficulties while attempting to fetch the settings because the filter was blocking certain words , so I had the idea to use an external JavaScript file, <script src=”my_js.file”>, to make it easier to fetch the settings since it would allow me to escape the filters.
Now that the difficult part is completed, we just need to extract the CSRF token and send a POST request to update the email and country in the profile settings.
This code defines two functions: `changeEmail` and `handleResponse`. `ChangeEmail` sends an HTTP GET request to `/xx/profile/edit`, and when the response is received, it calls the `handleResponse` function.
The `handleResponse` function extracts the CSRF token from the response text and then sends an HTTP POST request to `/xx/profile/update` with the necessary headers and request body to update the email address and country in the profile settings.
I hope that this information was clear and helpful. Thank you for reading.
Feedback, suggestions and your point of view are always appreciated!
Bengali (Bangladesh) · 
English (United States) ·