Hello, i am Raghavendra currently working as a senior security analyst in one of the reputated organization, today i want to share you how i found a XSS vulnerability on email fields, so let’s go started.
Description: Cross Site Scripting (XSS) is a vulnerability in a web application that allows a third party to execute a script in the user’s browser. XSS allows attacker to inject java script code into the page. It is executed on the clients machine not in the server.
Sorry as per their disclosure rules i can’t tell target name, lets say it as xyz.com
After selecting a target xyz.com, i started for searching any input fields are available for testing xss vulnerability, as i guess there are some input fields like search bar where user can give input, i tried a lot of different ways that to archive a goal for finding xss, but there is no use, my hopes are getting down that i can’t find xss in target site xyz.com, i went to depression and shutdown system for a while and have a break for coffee.
later some time i have a different idea, what if i try on email login fields, unfortunately the target xyz.com has login page for clients. so i tried some basic ways to find xss. after a long time i finally got a way how to find xss on email fields. so let’s see how i find vulnerability.
step1: checking for the target xyz.com having email login field.
setp2: open RFC822 email validator in online and build your own xss payload
step3: here my payload is “><svg/onload=confirm(1)>”@gmail.com
step4: check the given payload is valid or not.
step5: after getting confirmation that given payload is valid, i choose that payload for finding if there is xss or not.
step6: open the website and pasted payload in email field.
step7: I have given a sample password, because i don’ t have account.
setp8: enter login and check weather reflected xss is working or not. if reflected then there is xss on email field.
boom !!! i am shocked and can’t explain my happiness of finding xss on email fields.
for more Blog articles and Training Sessions click Here
Impact
Reflected XSS, An attacker can execute malicious javascript codes on the target application (email input specifically). It is highly recommended to fix this one because it is found in sensitive input (email).
