How I escalate my Self-Stored XSS to Account Takeover with the help of IDOR
Good day to all Security Researchers and Bug Hunters again Im Jefferson Gonzales and today I will share my writeup about my findings on HackerEarth and how I got a SWAG from them, so without wasting your time lets begin
First step is recon, so I collected all the subdomains of HackerEarth then I check it all manually and one of their subdomain caught my attention, sorry but I can’t disclose the subdomain, so lets name it test.hackerearth.com
In test.hackerearth.com you can Signin and Signup, first I signup and redirect me to Dashboard area, then I hunt for CSRF but I found nothing then I try to change my Name to XSS payload and to my surprise XSS triggered, Im very excited to report it but I found out its a Self XSS. How I know? its very simple in test.hackerearth.com theirs no function to view other users profile only you can see your profile thats why its a Self XSS
I hunt another vulnerability to escalate my Self XSS to critical impact, then I review my burp suite history and I found this POST request when I change my name
POST /api/sprint/v1/setup-profile/ HTTP/2
Host: test.hackerearth.com
Origin: https://test.hackerearth.com
Referer: https://test.hackerearth.com/auth/setup-profile
Te: trailers
Connection: closefirst_name=</script><svg/onload=alert(1)>&last_name=Tanga&email=attacker@gmail.com
As you can see my email was also there in the POST request, what if I change that to victims email?
So I created a new account, and I change the email on the POST request that I got earlier with my new account
POST /api/sprint/v1/setup-profile/ HTTP/2
Host: test.hackerearth.com
Origin: https://test.hackerearth.com
Referer: https://test.hackerearth.com/auth/setup-profile
Te: trailers
Connection: closefirst_name=</script><svg/onload=alert(1)>&last_name=Tanga&email=victim@gmail.com
then Viola! the XSS triggered on my new account, all you need is the email of your victim to takeover any accounts on test.hackerearth.com
Reported date: July 4, 2021
Initial reply: July 5, 2021
Issue fixed: July 23, 2021
You can contact me on
