How I was able to inject XSS payload into any user's mailbox

How I was able to inject XSS payload into any user's mailbox

Hello guys,

First of all thanks for giving lots of love to my first writeup ! If you haven't read my first writeup yet, take a look here . Let's get start without wasting any time !

So basically this is something which I found last year, while recon I found email of admin and then I thought to try default passwords but unfortunately in a first attempt I got the warning to complete email confirmation for IP verification .

Then I quickly setup my account on target and after that try to login with another device for observing the behaviour and found that this confirmation is for everyone not only for admin login. I check my mail and decide to bypass it, In meantime I succeed with parameter pollution and now I am able to assign any IP to any email because of the simple structure of the link https://example.com/ip_update.php?email=victim@example.com&new_ip=0.0.0.0 .

While doing this I notice that there is no special mechanism or technique for this, it's work like whatever IP is detected which submit through link through the link and it will save like <script>sonsole.log("info")</script> ( yes its sonsole.log not console.log ! )

Then I thought what if I close the script tag and write code to for XSS and yes it works

https://example.com/ip_update.php?email=victim@example.com&new_ip=</script><script>alert()</script> ( email and new_ip both parameter vulnerable )

I found Reflected XSS here !

But I am still looking for increase the impact, so again i started looking into this case how can I escalate it to remote vector. There is already mechanism to mail the link to user so it helps me to do my work bit easy. Now what I need to do is to find the way to inject the payload I thought to save the payload into cookies in IPAddress= parameter and then may be it possible, but no success they have something another technique to pass IP. Then I search for alternative method how can i sent my own IP to server and I found X-Client-IP: header and yes here we go !

Now i can remotely inject the XSS payload into any user email !

I must say spend more time on one target and dig deeper to increase the impact !

Thanks for taking time to read writeup !

Get in touch with me :

> Twitter

> LinkedIn

> Instagram

BackBack to All Blogs

Copyright Gaurav Popalghat. All Rights Reserved.