How I escalated HTML injection to P3 vulnerability in the U.S. of Education domain.
Har Har Mahadev !Hey I, Prince roy, a cybersecurity researcher, found a security issue in one domain of the US Department of Education. I found an HTML injection on their website and I escalated that into a P3 vulnerability.
Wait guys now I am going to tell you how I escalated that. Thanks to Aditya Shende sir for his mentorship. Are guys ready to show full reproduce steps?
At first, I ran this command in the Ubuntu terminal.
subfinder -d ed.gov | httpx -mc 200 | tee target.txt
Then I found a domain that it used to reset the email. then I put this payload in the email section.
Unfortunately, it wasn’t popped up. But I wondered why that section doesn't require ‘@’ to reset the email. Then I tried different XSS payloads but unfortunately didn’t pop up.
After reviewing the code, I tried this.
Damm! It was successfully injected and visible on the screen. Then I thought that I should escalate this, and I started to inject XSS payload between those html tags but also failed to pop up.
But ! one thing I noticed is that it doesn't reject any JS code. So I could do anything with this. And finally, I used this payload.
And boom! and result was:
After seeing this I thought that if this domain can retrieve this picture from the third-party website then why not burp Collab? So I started with the burp collab.
then I put this payload
OMG! I got an HTTP interaction and one of them ip wasn’t maine or maybe third party application or maybe server. Unfortunately that time i didn’t check that IP in whois.com. Moreover, this will also lead CSRF attack, because i got my ip address’s pin, so if victime visit this then attacker can get victim ip. And then attacker get the victim exact location by using ip address checker.
Then I directly reported that issue to the security team. After 3 days, they replied me this
Then I was like
Finally thanks for reading this blog I hope you found this informative.
Please follow my Social media accounts for further updates: