The main issue now was to convert this cookie-based XSS to reflected XSS. The most important thing here was that the redirect parameter was under control.

It was observed that the redirectTo cookie set the value of itself to the value of redirect paramter in the URL.

Flow: example.com/login?redirect=hello —> example.com/login (Cookie: redirectTo=/hello)

All we needed to do now was to set the cookie to the payload via the redirect parameter in the URL.

By just setting the payload in the redirect parameter, the payload didn’t fire directly. This is because the application had mechanisms as such:

Redirect parameter in URL: Script written as such to redirect to the specified path after login

No redirect parameter in URL: Script written as such to redirect to path in cookie

Now all we needed to do was to remove the parameter from the URL such that the application takes the value from cookie and executes out payload.