An Unexpected Account Takeover
Hii Everyone, Hope everyone doing well.
Myself Basavaraj, I am back again with My 3rd writeup, May be from this writeup you will learn something new or never neglect to check everything on a target.
I thought to hack on a public program i.e old(around 3000+ bugs reported) lets take it as target.com(they don’t have permission for disclosure), Its large scope program, As everyone starts with subdomain enumeration and filtering live subdomains, I also did the same and started looking manually each subdomain, tested around 25–30 subdomains got nothing, and finally I came across an subdomain with some functions. Now navigated that sub.target.com its gives an login page and also consist of signup page, Tested both signup, login, password reset But didn’t got anything. Now what, Lets move forward after logging in it redirect me to sub.target.com/dashboard
Now I started looking each endpoint and does not came across any functional part to test vulnerabilities and I started to fuzz target But they blocked my VPS IP😔. Now I started looking source code to check hidden endpoint, This time also failed and Now started looking JS Files manually there are around 5–6 JS files started looking each one and I found that one JS file that’s size is 13MB after opening that endpoint file my chrome browser got freezed 😂. And after sometime it responded and started looking JS file after scrolling 1 hour I thought to close it and take another target, But at that time I came across some endpoints. started checking all endpoints one endpoint have some function i.e sub.target.com/targetgroups
After navigating sub.target.com/targetgroups I got somethings I don’t know what they do.
I Hope your thinking is right i.e rename parameter and I clicked rename and added xss payload there
and clicked on rename and successfully got popup and also its stored xss
Now, I want to increase impact and quickly made another account and navigated to the sub.target.com/targetgroups , And Guess what I got popup there also🥳, Now I added Blind xss payload from xsshunter and added in rename field again with first account
And now I logined to my second account and navigated to sub.target.com/targetgroups and checked my xsshunter And I got cookies of second account🥳..
Using these cookies I tried logging in and successfully logged in to the account.
Takeaway:- Never Ignore JS Files(Because I am about to leave checking of JS file)
Follow me on twitter : https://twitter.com/basu_banakar
Follow me on Instagram : https://instagram.com/basu_banakar
Website : https://www.basubanakar.com