How i found XSS in a really secured Site which lead to Full Account Takeover.
Introduction
Few months ago, i was working in my office and my Team Lead gave me a Web Application and told me to do Input Validation testing on the target. Since the team members working on this project were already done with the other parts of the testing, input validation was left and that part came to me to finish.
The application was properly sanitizing every input field and every parameter that i came across. Plus on every payload, it showed an additional 403 error and at that time i was like maybe i am not going to find anything but i still wanted to test every input field even though it was blocking every payload. I continued further testing and left some parts to test for tomorrow.
Next day i woke up and started doing input validation testing of the remaining fields of the application and all the time while testing, i had no hope of finding anything since my payloads were being sanitized and blocked by a WAF.
That whole day went by and i still found nothing. I messaged my team leader and said that i am almost done with the Pentest and will give you its report by tomorrow morning and he said OK.
So now this is the third day with no luck of any findings and i only had 2 remaining parts to test. When i clicked on the last function which said “reports”, i saw the application allows its user to upload a .rar file. As soon as i a saw file upload functionality, my hopes got high and i was like noiceeeee.
The first thing i wanted to check was if i could upload a file other than .rar type but unluckily the application had a server side check implemented which was not letting any other type of files to get uploaded. All my hopes went straight to the ground but i still did not give up.
Then i tried to put a XSS payload as a file name to see if i could get the payload to execute but it still did not work. It had an option to publish the uploaded file so i was like maybe upon publishing, it might trigger the payload but it did not :( After this i was like i am going to give a last try and then will wind up my Pentest and submit the report.
The .rar file that i was uploading had .txt file inside so i changed its name to a XSS payload ‘-alert(document.domain)-’ as well and then uploaded the file again. It got uploaded like the other files did and when i clicked on publish button having no hope, a pop up alert showed up!!!!
I got so happy that after 3 days of no luck and no hope, this last thing actually worked. Now i wanted to do something more than a pop up, wanted to make the impact of this XSS to critical so i quickly checked if the application was using httpOnly flag so i could steal the session cookies and it was, damn it!
I started looking if the application was storing anything else in its local storage and saw it storing JWT Token there.
JWTs are typically used as session identifiers for web applications, mobile applications, and API services. But, unlike traditional session identifiers which act as nothing more than a pointer to actual user data on the server-side, JWTs typically contain user data directly.
I quickly used the payload alert(JSON.stringify(localStorage)) to see if it was getting executed and it did!!!!
And that’s my story of how i found this XSS on a web application sanitizing and blocking every payload and was able to successfully steal the cookies from the local storage.
Thanks for reading my first post, if you see any mistakes or want me to add something to it do let me know 😄
Please smash that clap button if you liked it 👏
