Aditya Anand- Aditya Anand
How I found an XSS vulnerability on the most prestigious engineering university in India?
You ever had that feeling of revenge, when you are like if I can’t get in that college/company, then I will crack their website and show them I am better? I never had that feeling ;).
So, today after my practical exams I wanted to let out my frustration, as I barely scribbled something on the paper, and what’s a better way to vent out frustration, than hacking websites.
I was randomly surfing websites, when I came across the login page of one of the most prestigious college in India and it seemed phi-shy, so I started looking around.
So let’s hack!
The first thing I tried was to check if I could carry out a SQL vulnerability to bypass the authentication and login, but that didn’t work out. I started visiting different pages, the contact us page (they are mostly vulnerable), then the alumni page and so on. When I visited the gallery then I made a note of the url.
As soon as I saw ‘value=large-5.jpg’, I thought to check for XSS vulnerability.
Finding the vulnerability
So, the first thing I did was to view the source of the file, where the value was being stored, it looked something like this.
“large-5" was common in the value and it was present in the php page as well
As, soon as I found that then, I tried to insert apostrophe(‘) and less than(<) and greater than (>) sign to check if the encoding was in place, which could have stopped the XSS attack but, I guess I was lucky that the encoding was not in place. From there on I went on to create the payload.
Testing with payload
Now, the job was to insert a <script> tag properly in the php page.
<img src=’gallery/large-5.jpg’ id=’dl’ width=500 height=400>
so, I tried with the following payload
’><script>alert(“Hacked”)</script><src=’
The url looked like this
and voila! The lovely dialog box appeared on the screen.
Moral
The url encoding of apostrophe(‘), less than (<) and greater than (>) was not in place which allowed me to insert the script tag. This should not have been allowed in the first place. I guess it was my lucky day, by the way website belong to one of the IITs.
If you enjoyed it please do clap and happy hacking!
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]