Account Takeover via Self-XSS Chained with CSRF

What I Found

While testing the profile functionality, I initially discovered a Self-XSS vulnerability in the email parameter.

During further testing to escalate the impact, I identified a CSRF vulnerability in the email update endpoint.

The CSRF on email change alone did not lead to account takeover because the email field was used only for notification purposes and was not part of the authentication flow.

However, by chaining both vulnerabilities together, I was able to achieve full Account Takeover.

Self-XSS in Email Parameter

The application reflects the email parameter into the authenticated user’s profile page without proper sanitization.

Example payload:

"+onfocus=alert(origin)+autofocus
      

Output:

<input type="text" id="email" name="email" value=" onfocus=alert(origin) autofocus>
      

When the victim visits their profile page, the injected JavaScript executes automatically due to the autofocus and onfocus attributes.

CSRF on Email Change Endpoint

The email update endpoint:

• Uses a GET request
• Does not validate CSRF tokens
• Does not require re-authentication

Example request:

GET /profile/verify-email?email=attacker@email.com
      

However, the email field was only used for notifications and was not tied to authentication or login, so CSRF alone did not result in takeover.

Chained Exploitation → Account Takeover

1. I crafted a malicious link containing the XSS payload:

https://target.com/profile/verify-email?email="+onfocus=alert(document.cookie)+autofocus
      

2. The victim clicks the link while authenticated.
3. The CSRF automatically updates the victim’s email to the payload.
4. When the victim visits their profile page, the payload is executed and the victim’s cookies are sent to the attacker’s server.