How I was able to get 1-Click ATO through self-XSS

7 months ago 64
BOOK THIS SPACE FOR AD
ARTICLE AD

Let Us Begin.

For Non-Disclosure's sake, let's call the website www.xyz.com

the website is a hotel booking platform that allows you to browse and book different hotels across cities,

so I started testing different functionalities around the website like sign-up, sign-in, forget password, and booking a hotel. but nothing was found.

so I started testing in the profile section and I noticed the update profile API doesn’t contain a CSRF token, so I created the POC and sent the request to the victim, and **BOOM** CSRF where I can change the victim’s profile information.

Read Entire Article