My first bug submission: XSS vulnerability [Bug Bounty Tip]
In this blog I will walk you through my first ever bug submission. I found XSS vulnerability in an Indian government website and reported it ethically to NCIIPC [National Critical Information Infrastructure Protection Center] which runs RVDP (Responsible Vulnerability Disclosure Program) to protect Indian government assets. Check it at https://nciipc.gov.in/RVDP.html
NOTE: This is not the actual report. Report template can be found at the above link shared.
TABLE OF CONTENT
- REPORT
- MY ANALYSIS
- INTERESTING OBSERVATION AND LESSONS LEARNED
TOPIC- 1: REPORT
DESCRIPTION: XSS Vulnerability in XXXXXXXXXX Website
AUTHOR: ASHEET TIRKEY
DATE: 2 MAY 2022
AFFECTED URL: XXXXXXXXXX
VULNERABILITY: XSS
SEVERITY: High
STEPS TO REPRODUCE:
- Open “Mozilla Firefox Browser” and visit — XXXXXXXXXX
- On the search bar type the following script
"/><script>alert(document.domain)</script>
REMEDIATION:
Proper Input Validation should be implemented. Character Encoding and URL Encoding should be implemented properly
PROOF OF CONCEPT:
TOPIC- 2: MY ANALYSIS
NORMAL SEARCH QUERY ON THE WEBSITE
PAGE RESPONSE OF THE NORMAL SEARCH QUERY
IN THE ABOVE SCREENSHOT OF THE PAGE RESPONSE
- important tag is input tag and important parameter is value parameter
FOR XSS
- First I try to close the value parameter using ” (double quote). [we can see in the implementation: anything within double quote is user-search-query]
- Then closed the input tag using /> (forward slash followed by closing tag)
- Finally Added the script <script>alert(document.domain)</script>
FINAL QUERY LOOKS LIKE THIS:
"/><script>alert(document.domain)</script>
XSS ATTACK IN ACTION
PAGE RESPONSE AFTER XSS
IN THE ABOVE SCREENSHOT OF THE PAGE RESPONSE
- Value parameter is closed using ”(double quote)
- Input tag is closed using /> (forward slash followed by closing tag)
- Finally the script got executed
MORE HELPFUL SCREENSHOTS [for better understanding]
Script
career"/><script>alert(document.domain)</script>
PAGE RESPONSE
TOPIC- 3: INTERESTING OBSERVATION & LESSONS LEARNED
TESTING ENVIRONMENT:
- I have used Mozilla Firefox (Installed Version 100.0) to test the web application where XSS script executed successfully
TESTING IN CHROME BROWSER (Installed Version 100.0.4896.127)
Though the web application did not implement character encoding properly, “by default Chrome is doing character encoding in the URL” as shown below.
- opening parenthesis replaced with %28
- closing parenthesis replaced with %29
Because of this character encoding of parenthesis “in the URL”, this XSS script will not work in Google Chrome.
Which also mean Mozilla Firefox as of now is not doing character encoding on the opening and closing parenthesis.
LESSONS LEARNED
- While reporting, include the testing environment in the “Steps to Reproduce” section properly
Thank you for reading this blog…….!