The after screenshot shows an HTTP GET demand containing the ultimate XSS payload (part parameter):
- steal_token вЂ“ Steals usersвЂ™ verification token, oauthAccessToken, therefore the usersвЂ™ id, http://www.datingrating.net/adult-friend-finder-review userid. UsersвЂ™ sensitive information (PII), such as for instance current email address, is exfiltrated aswell.
- steal_data вЂ“ Steals usersвЂ™ profile and data that are private choices, usersвЂ™ characteristics ( e.g. responses filled during registration), and much more.
- Send_data_to_attacker вЂ“ send the data collected in functions 1 and 2 into the attackerвЂ™s host.
The big event produces A api call to the host. UsersвЂ™ snacks are provided for the host because the XSS payload is performed within the context regarding the applicationвЂ™s WebView.
The host reacts by having a vast json containing the usersвЂ™ id while the verification token also: