How I found an XSS vulnerability on the most prestigious engineering university in India?

You ever had that feeling of revenge, when you are like if I can’t get in that college/company, then I will crack their website and show them I am better? I never had that feeling ;).

So, today after my practical exams I wanted to let out my frustration, as I barely scribbled something on the paper, and what’s a better way to vent out frustration, than hacking websites.

I was randomly surfing websites, when I came across the login page of one of the most prestigious college in India and it seemed phi-shy, so I started looking around.

So let’s hack!

The first thing I tried was to check if I could carry out a SQL vulnerability to bypass the authentication and login, but that didn’t work out. I started visiting different pages, the contact us page (they are mostly vulnerable), then the alumni page and so on. When I visited the gallery then I made a note of the url.

As soon as I saw ‘value=large-5.jpg’, I thought to check for XSS vulnerability.

Finding the vulnerability

So, the first thing I did was to view the source of the file, where the value was being stored, it looked something like this.

“large-5" was common in the value and it was present in the php page as well

As, soon as I found that then, I tried to insert apostrophe(‘) and less than(<) and greater than (>) sign to check if the encoding was in place, which could have stopped the XSS attack but, I guess I was lucky that the encoding was not in place. From there on I went on to create the payload.

Testing with payload

Now, the job was to insert a <script> tag properly in the php page.

<img src=’gallery/large-5.jpg’ id=’dl’ width=500 height=400>

so, I tried with the following payload

’><script>alert(“Hacked”)</script><src=’

The url looked like this

and voila! The lovely dialog box appeared on the screen.

Moral

The url encoding of apostrophe(‘), less than (<) and greater than (>) was not in place which allowed me to insert the script tag. This should not have been allowed in the first place. I guess it was my lucky day, by the way website belong to one of the IITs.

If you enjoyed it please do clap and happy hacking!

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : [email protected]