HTML injection leads to JS injection in the State of California domain.

Prince Roy(RoyzSec)
3 min readSep 22, 2023

Har Har Mahadev! This is Prince Roy, a cyber security researcher. Last month, I found an HTML+JS injection in one of the domains of the state of California. And thanks to Aditya Shende sir for his mentorship.

How!!!

Okay, guys, I am going to tell you how I found it with full steps. So, at first, I did recon and found out that all subdomains of [*.ca.gov]. Actually, I used Subfinder and httpx to collect whole live domains.

subfinder -d ca.gov | httpx -mc 200 | tee target.txt

then I opened all the domains and found a form in one domain

Then I put the below payload and found this

<script>alert(1)</script>

After reviewing the source code,

 $(function(){
var inframe_param = "<script>alert(1)</script>";
if(inframe_param == "Y"){
$("#main-content-container").css("border","none");
} else {
$("#main-content-container").css("border","1px solid #CCC");
}

I found that it was not secure and did not filter any kind of HTML or JS. Along with that, it just closed by [" "] in <input></input> in the source code. Then I decided to try this payload:

"><script>alert("you have been hacked by royzsec")</script>

Boom! I got pop-up

Then I was like,

But one minute, guys, I saw their policy after finding this bug, and my reaction was like

Because they marked Rxss from out of scope from 5/9/23.

Then I started thinking about how I could change this vulnerability to another security isssue because I wanted to HOF from them. Then one thing came to mind: they just marked RXSS out of scope, not HTMLi or JS injection. Why should I not go with those attacks?

Then I injected the HMLI code

"><h1><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*JIZCMl07i-cU_uPsJHPFBA.jpeg"><br>HACKED</h1>

The output was:

Wahh! Then I tried the burpcollab link like before to get an HTTP response.

"><h1><img src="https://*.burplink.net"><br>HACKED</h1>

But this time, I only got only mine HTTP response, not the server's or third party. I got my own CSRF.

Then I reported this report with sad mode

After one day they accept my report as a valid issue on Bugcrowd.

and listed on their Hall of Fame.

HOF Link: https://bugcrowd.com/cdt-vdp-pro/hall-of-fame

And finally, thanks in advance for reading my small write-up.

Please follow my Social media accounts for further updates:

Linkedin: https://www.linkedin.com/in/prince-roy-4b9a75187/

Twitter: https://twitter.com/royzsec

Github: https://github.com/royzsec

--

--