Escalating RXSS with HttpOnly SameSite Session Cookies

3 days ago 12
BOOK THIS SPACE FOR AD
ARTICLE AD

Escalating RXSS with HttpOnly SameSite Session Cookies 🍪🚀

Recently, I found a reflected XSS (RXSS) bug 🪲 on a well-known API documentation platform. Here’s how I escalated this bug to high severity, leading to an admin account takeover 🔓.

Overview: The application used a GET redirect parameter that was only partially sanitized, allowing an attacker to escape it using ". Since the input parameter was hidden 🕵️ and the body had an onload listener that auto-submitted the form 📤, crafting a payload was tricky. Here’s the payload that worked for me(only works for chromium based browsers):

a" oncontentvisibilityautochange="alert(1)" style="content-visibility: auto

The next challenge was to work around the session cookies marked with HttpOnly and SameSite 🔒. After some enumeration 🧑‍💻, I discovered multiple same-site endpoints for updating user and project settings. By crafting a fetch request to the email change endpoint and including the XSRF token from the cookies 🍪, I achieved account takeover! 🎉

Hope this helps other researchers! 🔍✨ Happy hunting! 🕵️‍♂️

Read Entire Article