Weaponizing Reflected XSS to Account Takeover

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Hi fellow hunters, this is my first writeup for the community in which I will explain how I found a reflected cross site scripting bug and further escalated it to achieve account takeover of any user on the website.

The target I was testing was a private program having a single main domain so, I will refer to it as www.redacted.com throughout this blog so let’s get started.

Finding Reflected XSS

Parameter Discovery

During the recon phase, I fired up burpsuite proxy and added www.redacted.com to the scope and started surfing the website to capture traffic. To find XSS, I normally use a Burp Suite PRO extension called “Reflected Parameters” which monitors in-scope requests traffic generated by the proxy and looks for request parameter values that are reflected in the response.

Reflected Parameters Extension

So, while capturing the traffic I came upon a parameter named blogPostId whose value was reflected in the JS context.

Reflection took place in JS context

I decided to further test this parameter by using a small string with a set of special

Read the article