Hi fellow hunters, this is my first writeup for the community in which I will explain how I found a reflected cross site scripting bug and further escalated it to achieve account takeover of any user on the website.
The target I was testing was a private program having a single main domain so, I will refer to it as www.redacted.com throughout this blog so let’s get started.
Finding Reflected XSS
During the recon phase, I fired up burpsuite proxy and added www.redacted.com to the scope and started surfing the website to capture traffic. To find XSS, I normally use a Burp Suite PRO extension called “Reflected Parameters” which monitors in-scope requests traffic generated by the proxy and looks for request parameter values that are reflected in the response.
Reflected Parameters Extension
So, while capturing the traffic I came upon a parameter named blogPostId whose value was reflected in the JS context.
Reflection took place in JS context
I decided to further test this parameter by using a small string with a set of special
Read the article