How I escalate my Self-Stored XSS to Account Takeover with the help of IDOR

3 years ago 309

BOOK THIS SPACE FOR AD

ARTICLE AD

Good day to all Security Researchers and Bug Hunters again Im Jefferson Gonzales and today I will share my writeup about my findings on HackerEarth and how I got a SWAG from them, so without wasting your time lets begin

First step is recon, so I collected all the subdomains of HackerEarth then I check it all manually and one of their subdomain caught my attention, sorry but I can’t disclose the subdomain, so lets name it test.hackerearth.com

In test.hackerearth.com you can Signin and Signup, first I signup and redirect me to Dashboard area, then I hunt for CSRF but I found nothing then I try to change my Name to XSS payload and to my surprise XSS triggered, Im very excited to report it but I found out its a Self XSS. How I know? its very simple in test.hackerearth.com theirs no function to view other users profile only you can see your profile thats why its a Self XSS

I hunt another vulnerability to escalate my Self XSS to critical impact, then I review my burp suite history and I found this POST request when I change my name

POST /api/sprint/v1/setup-profile/ HTTP/2
Host: test.hackerearth.com
Origin: https://test.hackerearth.com
Referer: https://test.hackerearth.com/auth/setup-profile
Te: trailers
Connection: close

first_name=</script><svg/onload=alert(1)>&last_name=Tanga&email=attacker@gmail.com

As you can see my email was also there in the POST request, what if I change that to victims email?

So I created a new account, and I change the email on the POST request that I got earlier with my new account

POST /api/sprint/v1/setup-profile/ HTTP/2
Host: test.hackerearth.com
Origin: https://test.hackerearth.com
Referer: https://test.hackerearth.com/auth/setup-profile
Te: trailers
Connection: close

first_name=</script><svg/onload=alert(1)>&last_name=Tanga&email=victim@gmail.com