Chaining Open Redirect with XSS to Account Takeover

Hello everyone, I hope you are well. In this article I will show you how I escalated XSS to Account Takeover. Since the target is private, let’s call as

The Open Redirect

I started testing target and register the account, while I register I can create my own subdomain for the organization like Then I logged in to the dashboard. Not long after, I found the url endpoint like this

URL Endpoint

Then i tried to open redirect like this and it was successfully, i was redirected to page :D. Then I tried to use this XSS payload javascript:alert(1); and opened in the browser, and yeah the XSS popped up.

Chaining the XSS to Account Takeover

After that, I didn’t immediately report the bug. I’m thinking of upgrading this XSS to a more severe impact. Shortly, I found a form that can change my email, like this

Form Change Email

But there is a CSRF-TOKEN protection. Then I remember that I have read a writeup about Chaining the XSS to severe impact. So, I make the payload for change my email and bypassed the CSRF-TOKEN protection with XSS vulnerability. The payload was like this :


So, when I visited this URL;,%27,%20true);var%20csrf=%20document.cookie.split(%27;%20%27).find(row%20=%253e%20row.startsWith(%27XSRF-TOKEN%27)).split(%27=%27)[1];http.setRequestHeader(%27X-Xsrf-Token%27,csrf);http.withCredentials=true;http.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);http.send(;alert('email%20changed'); in browser, the alert will popped up and the email will changed.

Alert Popped Up
Email Changed Successfully

Then I reported this to the program, but I got duplicate :(

I hope you are enjoy my writeup, keep learning and stay safe.

Tips :

Don’t be quick to report any bugs you find, always look for more severe impacts.

Keep Silent.