How I escalated HTML injection to P3 vulnerability in the U.S. of Education domain.

Prince Roy(RoyzSec)

3 min read

·

Sep 15, 2023

--

6

Listen

Share

Press enter or click to view image in full size

Har Har Mahadev !Hey I, Prince roy, a cybersecurity researcher, found a security issue in one domain of the US Department of Education. I found an HTML injection on their website and I escalated that into a P3 vulnerability.

Wait guys now I am going to tell you how I escalated that. Thanks to

Aditya Shende

sir for his mentorship. Are guys ready to show full reproduce steps?

At first, I ran this command in the Ubuntu terminal.

subfinder -d ed.gov | httpx -mc 200 | tee target.txt

Then I found a domain that it used to reset the email. then I put this payload in the email section.

<script>alert(1)</script>

Unfortunately, it wasn’t popped up. But I wondered why that section doesn't require ‘@’ to reset the email. Then I tried different XSS payloads but unfortunately didn’t pop up.

After reviewing the code, I tried this.

Hello"><h1>Hello</h1>

Damm! It was successfully injected and visible on the screen. Then I thought that I should escalate this, and I started to inject XSS payload between those html tags but also failed to pop up.

But ! one thing I noticed is that it doesn't reject any JS code. So I could do anything with this. And finally, I used this payload.

hello"><h1><img%20src="https://miro.medium.com/v2/resize:fit:1400/0*y2OAF_DSarBAjihO.jpg"></h1>

And boom! and result was:

Press enter or click to view image in full size

After seeing this I thought that if this domain can retrieve this picture from the third-party website then why not burp Collab? So I started with the burp collab.

then I put this payload

hello"><h1><img%20src="https://*.burpcollaborator.net/0*y2OAF_DSarBAjihO.jpg"></h1>

OMG! I got an HTTP interaction and one of them ip wasn’t maine or maybe third party application or maybe server. Unfortunately that time i didn’t check that IP in whois.com. Moreover, this will also lead CSRF attack, because i got my ip address’s pin, so if victime visit this then attacker can get victim ip. And then attacker get the victim exact location by using ip address checker.

Press enter or click to view image in full size

Then I directly reported that issue to the security team. After 3 days, they replied me this

Then I was like

Finally thanks for reading this blog I hope you found this informative.

Please follow my Social media accounts for further updates:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Twitter: https://twitter.com/royzsec

Github: https://github.com/royzsec