How I escalate my Self-Stored XSS to Account Takeover with the help of IDOR

Good day to all Security Researchers and Bug Hunters again Im Jefferson Gonzales and today I will share my writeup about my findings on HackerEarth and how I got a SWAG from them, so without wasting your time lets begin

First step is recon, so I collected all the subdomains of HackerEarth then I check it all manually and one of their subdomain caught my attention, sorry but I can’t disclose the subdomain, so lets name it test.hackerearth.com

In test.hackerearth.com you can Signin and Signup, first I signup and redirect me to Dashboard area, then I hunt for CSRF but I found nothing then I try to change my Name to XSS payload and to my surprise XSS triggered, Im very excited to report it but I found out its a Self XSS. How I know? its very simple in test.hackerearth.com theirs no function to view other users profile only you can see your profile thats why its a Self XSS

I hunt another vulnerability to escalate my Self XSS to critical impact, then I review my burp suite history and I found this POST request when I change my name

POST /api/sprint/v1/setup-profile/ HTTP/2
Host: test.hackerearth.com
Origin: https://test.hackerearth.com
Referer: https://test.hackerearth.com/auth/setup-profile
Te: trailers
Connection: close

first_name=</script><svg/onload=alert(1)>&last_name=Tanga&email=attacker@gmail.com

As you can see my email was also there in the POST request, what if I change that to victims email?

So I created a new account, and I change the email on the POST request that I got earlier with my new account

POST /api/sprint/v1/setup-profile/ HTTP/2
Host: test.hackerearth.com
Origin: https://test.hackerearth.com
Referer: https://test.hackerearth.com/auth/setup-profile
Te: trailers
Connection: close

first_name=</script><svg/onload=alert(1)>&last_name=Tanga&email=victim@gmail.com

then Viola! the XSS triggered on my new account, all you need is the email of your victim to takeover any accounts on test.hackerearth.com

After the issue was fixed

Reported date: July 4, 2021
Initial reply: July 5, 2021
Issue fixed: July 23, 2021