How I escalated HTML injection to P3 vulnerability in the U.S. of Education domain.
Har Har Mahadev !Hey I, Prince roy, a cybersecurity researcher, found a security issue in one domain of the US Department of Education. I found an HTML injection on their website and I escalated that into a P3 vulnerability.
Wait guys now I am going to tell you how I escalated that. Thanks to Aditya Shende sir for his mentorship. Are guys ready to show full reproduce steps?
At first, I ran this command in the Ubuntu terminal.
subfinder -d ed.gov | httpx -mc 200 | tee target.txtThen I found a domain that it used to reset the email. then I put this payload in the email section.
<script>alert(1)</script>Unfortunately, it wasn’t popped up. But I wondered why that section doesn't require ‘@’ to reset the email. Then I tried different XSS payloads but unfortunately didn’t pop up.
After reviewing the code, I tried this.
Hello"><h1>Hello</h1>Damm! It was successfully injected and visible on the screen. Then I thought that I should escalate this, and I started to inject XSS payload between those html tags but also failed to pop up.
But ! one thing I noticed is that it doesn't reject any JS code. So I could do anything with this. And finally, I used this payload.
hello"><h1><img%20src="https://miro.medium.com/v2/resize:fit:1400/0*y2OAF_DSarBAjihO.jpg"></h1>And boom! and result was:
After seeing this I thought that if this domain can retrieve this picture from the third-party website then why not burp Collab? So I started with the burp collab.
then I put this payload
hello"><h1><img%20src="https://*.burpcollaborator.net/0*y2OAF_DSarBAjihO.jpg"></h1>OMG! I got an HTTP interaction and one of them ip wasn’t maine or maybe third party application or maybe server. Unfortunately that time i didn’t check that IP in whois.com. Moreover, this will also lead CSRF attack, because i got my ip address’s pin, so if victime visit this then attacker can get victim ip. And then attacker get the victim exact location by using ip address checker.
Then I directly reported that issue to the security team. After 3 days, they replied me this
Then I was like
Finally thanks for reading this blog I hope you found this informative.
Please follow my Social media accounts for further updates:
Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/
Twitter: https://twitter.com/royzsec
Github: https://github.com/royzsec
