Reflective XSS on a schooling site
Hi,
This is my second writeup, I was able to reproduce a Reflective XSS finding. The vulnerability was not too hard to exploit, It was like most basic XSS (Not <script>alert(1)</script> lol), So basically i am a school kid and i am learning hacking. I thought instead of firstly hopping on hackerone and bugcrowd, I should start hacking my own school site :) So lets get started on our writeup.
If you don’t know whats XSS, Then its a vulnerability which is based on JavaScript. It happens when the application doesn’t properly santizes user inputs and reflects it back, Sometimes when its vulnerable the script runs in the victim’s browser and thus attack becomes successful. It is a JavaScript vulnerability so it belongs to client side.
I was hovering thorough the site, Everyone would know every school site has a “Photo Gallery” where all the good moments, festivals, celebrations etc. are stored to be visible to public. So when i got over there, A clear Content Spoofing vulnerability was visible due to the parameter was adjustable. But i thought instead of reporting this minor risk, I can escalate it to something greater, I tried using basic XSS tags, My luck was really, great! The following tags were injected:
- <img></img>
- <svg></svg>
- <a></a>
After that, I went to Portswigger XSS Cheatsheet, Its a great site to filter out payloads followed by the tags that you want, For this session, I used onanimationend payload, Thinking that there would be some blockings. But luckily a simple copy pasted payload worked. The payload was:
<style>@keyframes x{}</style><img style=”animation-name:x” onanimationend=”alert(1)”></img>
So lets look at this payload, This basically points an <img> tag which will create alert(1)/popup 1 when the CSS animation of the page will end.
I used this payload, And the payload worked without any changings, encodings. I was damn happy and reported it to computer teacher, They appreciated me and the vulnerability is resolved, Thanks to:
pmnh: For making me trained in XSS. All credits goes to that guy :)
So that was my second writeup, Hope you guys have a great time, Bye!