My first bug submission: XSS vulnerability [Bug Bounty Tip]

In this blog I will walk you through my first ever bug submission. I found XSS vulnerability in an Indian government website and reported it ethically to NCIIPC [National Critical Information Infrastructure Protection Center] which runs RVDP (Responsible Vulnerability Disclosure Program) to protect Indian government assets. Check it at https://nciipc.gov.in/RVDP.html

NOTE: This is not the actual report. Report template can be found at the above link shared.

TABLE OF CONTENT

1. REPORT
2. MY ANALYSIS
3. INTERESTING OBSERVATION AND LESSONS LEARNED

TOPIC- 1: REPORT

DESCRIPTION: XSS Vulnerability in XXXXXXXXXX Website

AUTHOR: ASHEET TIRKEY

DATE: 2 MAY 2022

AFFECTED URL: XXXXXXXXXX

VULNERABILITY: XSS

SEVERITY: High

STEPS TO REPRODUCE:

1. Open “Mozilla Firefox Browser” and visit — XXXXXXXXXX
2. On the search bar type the following script

"/><script>alert(document.domain)</script>

REMEDIATION:

Proper Input Validation should be implemented. Character Encoding and URL Encoding should be implemented properly

PROOF OF CONCEPT:

Screenshot 1: XSS in action

TOPIC- 2: MY ANALYSIS

NORMAL SEARCH QUERY ON THE WEBSITE

Screenshot 2: Normal Search Query on the website

PAGE RESPONSE OF THE NORMAL SEARCH QUERY

Screenshot 3: Page response of the normal search query

IN THE ABOVE SCREENSHOT OF THE PAGE RESPONSE

• important tag is input tag and important parameter is value parameter

FOR XSS

1. First I try to close the value parameter using ” (double quote). [we can see in the implementation: anything within double quote is user-search-query]
2. Then closed the input tag using /> (forward slash followed by closing tag)
3. Finally Added the script <script>alert(document.domain)</script>

FINAL QUERY LOOKS LIKE THIS:

"/><script>alert(document.domain)</script>

XSS ATTACK IN ACTION

Screenshot 4.1: XSS Attack in Action

Screenshot 4.2: XSS Attack in Action

PAGE RESPONSE AFTER XSS

Screenshot 5: Page Response after XSS attack, script executed successfully

IN THE ABOVE SCREENSHOT OF THE PAGE RESPONSE

1. Value parameter is closed using ”(double quote)
2. Input tag is closed using /> (forward slash followed by closing tag)
3. Finally the script got executed

MORE HELPFUL SCREENSHOTS [for better understanding]

Script

career"/><script>alert(document.domain)</script>

PAGE RESPONSE

TOPIC- 3: INTERESTING OBSERVATION & LESSONS LEARNED

TESTING ENVIRONMENT:

• I have used Mozilla Firefox (Installed Version 100.0) to test the web application where XSS script executed successfully

TESTING IN CHROME BROWSER (Installed Version 100.0.4896.127)

Though the web application did not implement character encoding properly, “by default Chrome is doing character encoding in the URL” as shown below.

• opening parenthesis replaced with %28
• closing parenthesis replaced with %29

Google Chrome default character encoding

Because of this character encoding of parenthesis “in the URL”, this XSS script will not work in Google Chrome.

Which also mean Mozilla Firefox as of now is not doing character encoding on the opening and closing parenthesis.

LESSONS LEARNED

• While reporting, include the testing environment in the “Steps to Reproduce” section properly

Thank you for reading this blog…….!