How I escalated HTML injection to P3 vulnerability in the U.S. of Education domain.

Prince Roy(RoyzSec)
3 min readSep 15, 2023

--

Har Har Mahadev !Hey I, Prince roy, a cybersecurity researcher, found a security issue in one domain of the US Department of Education. I found an HTML injection on their website and I escalated that into a P3 vulnerability.

Wait guys now I am going to tell you how I escalated that. Thanks to Aditya Shende sir for his mentorship. Are guys ready to show full reproduce steps?

At first, I ran this command in the Ubuntu terminal.

subfinder -d ed.gov | httpx -mc 200 | tee target.txt

Then I found a domain that it used to reset the email. then I put this payload in the email section.

<script>alert(1)</script>

Unfortunately, it wasn’t popped up. But I wondered why that section doesn't require ‘@’ to reset the email. Then I tried different XSS payloads but unfortunately didn’t pop up.

After reviewing the code, I tried this.

Hello"><h1>Hello</h1>

Damm! It was successfully injected and visible on the screen. Then I thought that I should escalate this, and I started to inject XSS payload between those html tags but also failed to pop up.

But ! one thing I noticed is that it doesn't reject any JS code. So I could do anything with this. And finally, I used this payload.

hello"><h1><img%20src="https://miro.medium.com/v2/resize:fit:1400/0*y2OAF_DSarBAjihO.jpg"></h1>

And boom! and result was:

After seeing this I thought that if this domain can retrieve this picture from the third-party website then why not burp Collab? So I started with the burp collab.

then I put this payload

hello"><h1><img%20src="https://*.burpcollaborator.net/0*y2OAF_DSarBAjihO.jpg"></h1>

OMG! I got an HTTP interaction and one of them ip wasn’t maine or maybe third party application or maybe server. Unfortunately that time i didn’t check that IP in whois.com. Moreover, this will also lead CSRF attack, because i got my ip address’s pin, so if victime visit this then attacker can get victim ip. And then attacker get the victim exact location by using ip address checker.

HTMLi ==>CSRF/SSRF

Then I directly reported that issue to the security team. After 3 days, they replied me this

Then I was like

Finally thanks for reading this blog I hope you found this informative.

Please follow my Social media accounts for further updates:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Twitter: https://twitter.com/royzsec

Github: https://github.com/royzsec

--

--

Prince Roy(RoyzSec)
Prince Roy(RoyzSec)

Written by Prince Roy(RoyzSec)

Cyber Security Researcher | Ex-GPCSSI2021

Responses (6)