Today, I want to share my experience of discovering an account takeover (ATO) vulnerability through XSS and Open redirect. Let's dive right in!
So, hunting starts with a random program selection let call it example.xyz.It is a crypto platform.
I started hunting with enumerating subdomain and checking if there is any possible subdomain takeover but there is nothing found.
I use my Wayback URLs to grab previous URL's from the example.xyzand started hunting manually. I visited the signup page and started the registration process while registering on the site I notice a parameter called callbackUrl
https://example.xyz/sign-in?callbackUrl=I decided to test this parameter with an open redirect payload.
https://example.xyz/sign-in?callbackUrl=https://example.xyz@evil.comand this Open redirect works. After the signin. I was redirected to the evil.com. but this wasn't sufficient for higher impact the max could go up to P3 /P4 so I decide to test for a xss. I use many payloads but the tags <>were filter out from the payload. So, I decided to use different payload i.e
javascript:alert(document.cookie)and this one worked successfully I was able to pop-up a alert with session cookies.
After this I prepared a report to submit to the program. and after few days I got a reply from the program manager.
The report considers as duplicate of a 2024 report submitted by someone else on the platform.
Thank you for reading if you enjoy it clap 50 times
New articles Dropping soon
Connect with me Linkedin: https://www.linkedin.com/in/jeet-pal-22601a290/ Instagram: https://www.instagram.com/jeetpal.2007/ X/Twitter: https://x.com/Mr_mars_hacker
And here's something special for you! ๐จ
Join a community of 3,700+ security researchers on our Discord server, where we discuss Web3 vulnerabilities, audits, and much more! ๐ ๐ Join the server here!: https://discord.gg/Y467qAFM4X