How I managed to trigger XSS automatically to get critical account takeover
Hello everybody! This is my first medium post so I hope you like it.
This write up is about one of the best findings I ever had in HackerOne. The impact was critical because the XSS was stored and you could send it through a chat to any user leading to steal their credentials. So, let’s go!
If I sent https://google.com, the chat parsed the text and it put the URL as a link in a “a” html tag:
So the first malicious payload that I sent was:
And boom I saw how the HTML was broken:
In this part I hadn’t problems and I injected successfully an onclick=alert(1) a
attribute with the following payload:
having as result the following final tag:
<a href="https://google.com" onclick="alert(1)" a="">
And when the victim clicked the link the popup alert appeared.
At this moment I have got a high severity vulnerability because I could take over any account but with user interaction.
But the big problem was that I couldn’t inject new HTML tags to create the animation on ‘style’ tag.
How did I solve this problem?
I needed to find only one animation defined on REDACTED CSS. So I opened each of the CSS files loaded in site and I FOUND IT!
Now only I had to prepare the exploit:
- I defined in tag’s style the animation found.
So when the attacker sends the malicious message through the chat and the victim opens it, the tag’s style is loaded, the event executes the code put in the onanimationstart attribute and automatically the attacker receives the victim’s credentials on their burp collaborator.
After testing it a lot I wrote the report and I submitted it.
The report was triaged in 2 days and resolved in 7 days with a 3000$ bounty.
Thanks for reading I hope this helps!
You can following me on twitter: https://twitter.com/c4rrilat0r.