Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

While reviewing the application, the author of the post found a self-XSS vulnerability. Normally, this doesn't have any impact on other users but they wanted to create it. Thus starts the chain! The application was vulnerable to login/logout CSRF. So, any user could be forcibly logged into or out of their account.

With the login CSRF and XSS, it's possible to execute code within the context of the users account. But, that's not very helpful... so now what? Browsers have a Path attribute. If two cookies share the same name then the one with the most accurate path information is used on the request.

This doesn't entirely do much because we can't set the cookies path directly. So, they created a bot that would login, copy the cookies and store them at a URL. Once the creds were needed, the XSS payload could set the cookie at a direct path. This bypasses the issue around the HTTPOnly cookie but still allows for the attacker and user to be logged in at the same time.

Here's the full chain:

1. Victim visits the attackers page. Gets hit by login CSRF to attackers account. This includes a redirect to the page with self-XSS.
2. XSS triggers on the page. Attacker gets their cookie information and sets at the settings/phone path.
3. Logout CSRF.
4. Victim logs into their normal account, which redirects back to the page with the XSS once again.
5. There are now two active cookies depending on the page. So, this allows for the page to have the XSS from the attackers account to make API requests with the victims cookie to another account.

Overall, a pretty nifty set of tricks! I had never thought of having a bot get credential information for me and manually setting the token data. But, this actually worked pretty well!