How did I find RXSS within 10 minutes?

Prince Roy(RoyzSec)
3 min readAug 3, 2023

--

Har Har Mahadevađź”±. Hey, this is Prince Roy, a cyber security researcher. A few days ago, I found two RXSS in the domain of the Department of Commerce of the United States of America.

I discovered those within ten minutes!!

But how??

Okay, guys, I am going to tell you how I found those. At first, I searched the IP address in https://search.censys.io/ via the main domain. Then I found one IP address — not an internal IP address—that is accessible.

Then I used NucleiFuzzer, which is actually a combination of Nuclei + Paramspider—a great tool made by xKayala. Here is the link:

And I used that command in the terminal.

./NucleiFuzzer -d domain_name(that I found which is accessible with IP address)

And after 5–6 minutes, NucleiFuzzer found two RXSS in two different parameters.

For testing the RXSS, I used this payload:

'">><marquee><img src=x onerror=confirm(1)></marquee>

Guess what?

Boom!

It successfully popped up and showed me this:

Yes, Gyus, I am serious. And RXSS is a PIII-severity bug. After that, I ethically reported it to the DOC Vulnerability Discloser Program. Then, two hours later, those two reports got triaged.

After patching those vulnerabilities, they put my name on the acknowledgment page. Here is the link: https://doc.responsibledisclosure.com/hc/en-us/articles/10801394414227

HOF

And finally, this is the first blog about finding the vulnerability. So, please pardon my mistakes.

Please follow my Social media accounts for further updates:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Twitter: https://twitter.com/royzsec

Github: https://github.com/royzsec

--

--

Prince Roy(RoyzSec)
Prince Roy(RoyzSec)

Written by Prince Roy(RoyzSec)

Cyber Security Researcher | Ex-GPCSSI2021

Responses (2)