Stealing login credentials with Reflected XSS

Hello Hackers,

This was my first bounty worth $100. I got really exited at the moment the email notification popped-up. Read this write-up to know how I got that bug.

Let’s name the website as www.example.com. I understood that how the application works. After understanding, I logged out of the application and tried to visit the paths that are only available to logged-in users. As soon as I hit the first path in my list, I was redirected to “/login?redirect_to=%2fsettings”.

And Open-redirect vulnerability clicked into my mind and I was successful to get a redirect to https://google.com/ by visiting https://www.example.com/login?redirect_to=https%3A%2f%2fgoogle.com%2f

and logging in to www.example.com

Then, I tried to get XSS by visiting https://www.example.com/login?redirect_to=javascript%3Aalert(1) and got that alert popup.

Then I thought why not try to steal login credentials.

So I went for that after a good night sleep. I visited the link:

https://www.example.com%2Flogin%3Fredirect_to%3Djavascript%3Aalert%28document.getElementById%28%2522email%2522%29.value%29%253B%2520alert%28document.getElementById%28%2522password%2522%29.value%29

An Alert popped up for both email and password of victim

So the attack is like, attacker sends email to vicitm including the above URL with javascript such as to send credentials to attack server and the victim clicks the link and bOOOOm…