Stealing login credentials with reflected XSS

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

A researcher discovered a reflected XSS vulnerability on a login page's redirect parameter that allowed stealing user credentials by injecting JavaScript code to exfiltrate email and password values, resulting in a $100 bounty.

Tags
reflected-xss xss credential-theft open-redirect login-bypass bug-bounty client-side-attack javascript-injection
Entities
mehulpanchal007 HackerOne
Stealing login credentials with Reflected XSS | by mehulpanchal007 - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Stealing login credentials with Reflected XSS Hello Hackers, mehulpanchal007 Follow ~1 min read · October 1, 2019 (Updated: December 12, 2021) · Free: Yes This was my first bounty worth $100. I got really exited at the moment the email notification popped-up. Read this write-up to know how I got that bug. Let's name the website as www.example.com. I understood that how the application works. After understanding, I logged out of the application and tried to visit the paths that are only available to logged-in users. As soon as I hit the first path in my list, I was redirected to "/login?redirect_to=%2fsettings". And Open-redirect vulnerability clicked into my mind and I was successful to get a redirect to https://google.com/ by visiting https://www.example.com/login?redirect_to=https%3A%2f%2fgoogle.com%2f and logging in to www.example.com Then, I tried to get XSS by visiting https://www.example.com/login?redirect_to=javascript%3Aalert(1) and got that alert popup. Then I thought why not try to steal login credentials. So I went for that after a good night sleep. I visited the link: https://www.example.com%2Flogin%3Fredirect_to%3Djavascript%3Aalert%28document.getElementById%28%2522email%2522%29.value%29%253B%2520alert%28document.getElementById%28%2522password%2522%29.value%29 An Alert popped up for both email and password of victim So the attack is like, attacker sends email to vicitm including the above URL with javascript such as to send credentials to attack server and the victim clicks the link and bOOOOm… #infosec #xss-attack #hackerone #bug-bounty #hacking Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories