How I escalated HTML injection to P3 vulnerability in the U.S. of Education domain.

Prince Roy(RoyzSec)
3 min readSep 15, 2023

Har Har Mahadev !Hey I, Prince roy, a cybersecurity researcher, found a security issue in one domain of the US Department of Education. I found an HTML injection on their website and I escalated that into a P3 vulnerability.

Wait guys now I am going to tell you how I escalated that. Thanks to Aditya Shende sir for his mentorship. Are guys ready to show full reproduce steps?

At first, I ran this command in the Ubuntu terminal.

subfinder -d | httpx -mc 200 | tee target.txt

Then I found a domain that it used to reset the email. then I put this payload in the email section.


Unfortunately, it wasn’t popped up. But I wondered why that section doesn't require ‘@’ to reset the email. Then I tried different XSS payloads but unfortunately didn’t pop up.

After reviewing the code, I tried this.


Damm! It was successfully injected and visible on the screen. Then I thought that I should escalate this, and I started to inject XSS payload between those html tags but also failed to pop up.

But ! one thing I noticed is that it doesn't reject any JS code. So I could do anything with this. And finally, I used this payload.


And boom! and result was:

After seeing this I thought that if this domain can retrieve this picture from the third-party website then why not burp Collab? So I started with the burp collab.

then I put this payload


OMG! I got an HTTP interaction and one of them ip wasn’t maine or maybe third party application or maybe server. Unfortunately that time i didn’t check that IP in Moreover, this will also lead CSRF attack, because i got my ip address’s pin, so if victime visit this then attacker can get victim ip. And then attacker get the victim exact location by using ip address checker.


Then I directly reported that issue to the security team. After 3 days, they replied me this

Then I was like

Finally thanks for reading this blog I hope you found this informative.

Please follow my Social media accounts for further updates: