HTML injection leads to JS injection in the State of California domain.

Prince Roy(RoyzSec)
3 min readSep 22, 2023

Har Har Mahadev! This is Prince Roy, a cyber security researcher. Last month, I found an HTML+JS injection in one of the domains of the state of California. And thanks to Aditya Shende sir for his mentorship.


Okay, guys, I am going to tell you how I found it with full steps. So, at first, I did recon and found out that all subdomains of [*]. Actually, I used Subfinder and httpx to collect whole live domains.

subfinder -d | httpx -mc 200 | tee target.txt

then I opened all the domains and found a form in one domain

Then I put the below payload and found this


After reviewing the source code,

var inframe_param = "<script>alert(1)</script>";
if(inframe_param == "Y"){
} else {
$("#main-content-container").css("border","1px solid #CCC");

I found that it was not secure and did not filter any kind of HTML or JS. Along with that, it just closed by [" "] in <input></input> in the source code. Then I decided to try this payload:

"><script>alert("you have been hacked by royzsec")</script>

Boom! I got pop-up

Then I was like,

But one minute, guys, I saw their policy after finding this bug, and my reaction was like

Because they marked Rxss from out of scope from 5/9/23.

Then I started thinking about how I could change this vulnerability to another security isssue because I wanted to HOF from them. Then one thing came to mind: they just marked RXSS out of scope, not HTMLi or JS injection. Why should I not go with those attacks?

Then I injected the HMLI code

"><h1><img src="*JIZCMl07i-cU_uPsJHPFBA.jpeg"><br>HACKED</h1>

The output was:

Wahh! Then I tried the burpcollab link like before to get an HTTP response.

"><h1><img src="https://*"><br>HACKED</h1>

But this time, I only got only mine HTTP response, not the server's or third party. I got my own CSRF.

Then I reported this report with sad mode

After one day they accept my report as a valid issue on Bugcrowd.

and listed on their Hall of Fame.

HOF Link:

And finally, thanks in advance for reading my small write-up.

Please follow my Social media accounts for further updates: