Hacking Cambridge University, a simple XSS exploit!
Hey hackers! I hope you guys are doing well! Here I’m back with another writeup of an easy XSS I found on the University of Cambridge’s website! The bypass or payload was too easy, but finding a valid web security vulnerability in Cambridge makes me feel proud, and only that’s why I’m writing this. though I was acknowledged by Cambridge University for finding a P1 (critical) vulnerability before (https://thejulfikar.xyz/achivements/)! The vulnerability was that I could retrieve all the raw requests that were passing to the server!
Whatever the date was, it was March 12. Mohammad Golam Rabbi, one of my juniors at BugBounty, had tagged me on Facebook.He was asking for a solution to an XSS he was trying on Cambridge’s website. I checked his payload, which seems correct, but the pop-up wasn’t firing!
I crawled his shared URL and got an endpoint like this: “https://localhost/release-4.0/aspect.do?name=". I tried with the string “thejulfikar” and got a response like this:
This response made me smile!
The string ‘thejulfikar’ was reflecting in the <title> tag, and whatever we enter at ‘name=’ parameter will reflect in <title> tag! So, what are we to do? To trigger an XSS here, we just have to close the tag here anyhow! And then our payload will work. For closing the tag, I put ‘</title>’ before the string and checked again the response, which was like,
As you can see here, the tag got triggered here! Now we can put our payload here, and we don’t have to think about the next part or the next ‘</title>’ tag because we’re closing our payload here!
Then I simply entered the payload ‘<script>alert(“XSS by thejulfikar”)</script>’ at the ‘name’ parameter.
I rendered the request to my client, and XSS got triggered!
“About the author: Muhammad Julfikar Hyder is a bug bounty hunter and cybersecurity enthusiast. You can follow them on Twitter at @thejulfikar for more security tips and updates on their latest findings.”