Har Har Mahadev! This is Prince Roy, a cyber security researcher. Few months back I found a security issue on the one domain of [gov.uk]. That was quite easy to find. Are you guys excited to know how I found it?
Okey! First and foremost, I got one tip from my mentor, Aditya Shende sir: which websites are directly accessible via IP address, those websites don't have much of a security layer, like Cloudflare. So, according to this tip, I went to https://search.censys.io/ and put gov.uk in the search bar.
After that, I got one domain that was directly accessible by IP address. Moreover, I found a search bar over there. Then I search “hello” to test how it works.
Then I found that “hello” was reflected with ‘hello’. So, I tried to bypass this [ ‘ ’ ] and put this payload in the search bar
hello'><img src=x onerror=confirm("You-Hacked-by-Prince!")>
Then guess what? It successfully popped up!
After seeing that I was over the moon.
In the next step, I went to Hackerone because the National Cyber Security Center of the UK takes reports through Hackerone. After a few days, they triaged my report and resolved it.
Finally, thanks to everyone for reading this small blog of mine.
Please follow my Social media accounts for further updates: