How I was able to Turn a XSS into a Account Takeover

To begin,this is a vulnerability that I found during a bug bounty engagement.I would split this into two parts, or two separate vulnerabilities. The First part was a web cache poisoning via X Headers.This part allowed me to achieve XSS on every endpoint with a combination of two Headers.The next part was a OAuth flow flaw that allowed me to leverage my previously given XSS capabilities into an…