Further exploit self XSS

Question

I´m pentesting a clients website and found a self XSS Vulnerability in the Login Page: in case of a login error the Error Page shows the Username, so if you input <script>alert("XSS")</script> as User, it shows the alert box. However, it´s probably not that likely, that users do that by themselves. So I´m looking for a way to further exploit this.

My first idea was to generate a link with the parameters of the POST Request in the URL so I would get a reflected XSS if somebody clicked it. But the username and password parameters are sent in the request body and not I the URL. And according to this answer: How to exploit XSS in POST request when parameter is going in body? it is not possible to craft a link with the body Parameters in the URL.

I´m guessing the application could have more problems with Input Validation but since this is a blackbox test I have no credentials and can only work with the Login Page. So does anyone have any ideas/could point me in the right direction how I could "upgrade" the self XSS to a more severe Vulnerability?

EDIT: Thanks for the Help, I managed to get a CSRF. In Case someone is reading this in the future: Burp Suite has a cool feature for this: right click on the Request, select Engagement Tools and then CSRF PoC. It will then create a basic HTML Page that submits the specified request if someone clicks the Button

score 2 · Answer 1 · answered Feb 24 '21 at 10:13

2

Use the method described in the linked answer. The attacker creates a webpage with a form that automatically submits using JavaScript. Then the attacker submits the URL to the attacker's page to the victim.

If there is XSS in the username field, it is very likely that the application is vulnerable for XSS in many other places. So you may want to continue searching for a place that is easier to exploit.

answered Feb 24 '21 at 10:13

Sjoerd

28,707
12
74
102

Thank you, I found out Burp Suite has a built in feature for that which worked fine (edited my question) – Opera of the Phantom Feb 25 '21 at 07:35

score 2 · Answer 2 · answered Feb 24 '21 at 14:56

I agree with you; that's evidence of sloppy coding and probably worth mentioning as a Low, but probably not directly exploitable. If you do manage to get deeper into the application, then continuing to poke at XSS is likely to be fruitful :)

Aside: what kind of pen test doesn't even give you credentials for the login page??? That's like test-driving a car without giving you the keys. If this is a hired pen test, then I would definitely note that in the Scope section of your report so that they don't try to pass off your report as a deeper pentest than it was.

Thanks for the heads up, I´ll make sure to note that in the report — Opera of the Phantom, Feb 25 '21 at 07:27

Further exploit self XSS

2 Answers2