.png)
1 week ago
23 BOOK THIS SPACE FOR AD
ARTICLE ADEscalating RXSS with HttpOnly SameSite Session Cookies 🍪🚀
Recently, I found a reflected XSS (RXSS) bug 🪲 on a well-known API documentation platform. Here’s how I escalated this bug to high severity, leading to an admin account takeover 🔓.
Overview: The application used a GET redirect parameter that was only partially sanitized, allowing an attacker to escape it using ". Since the input parameter was hidden 🕵️ and the body had an onload listener that auto-submitted the form 📤, crafting a payload was tricky. Here’s the payload that worked for me(only works for chromium based browsers):
a" oncontentvisibilityautochange="alert(1)" style="content-visibility: autoThe next challenge was to work around the session cookies marked with HttpOnly and SameSite 🔒. After some enumeration 🧑💻, I discovered multiple same-site endpoints for updating user and project settings. By crafting a fetch request to the email change endpoint and including the XSRF token from the cookies 🍪, I achieved account takeover! 🎉
Hope this helps other researchers! 🔍✨ Happy hunting! 🕵️♂️
Bengali (Bangladesh) · 
English (United States) ·