MULTIPLE TIMES I HACKED DUKE UNIVERSITY WITH RXSS VULNERABILITY!!!

I’m Going to share one of my other Reflected Cross-Site Scripting Scenario.

As you know I didn’t believe in automation and I love for manual approach…..

Have a look at my steps like what methodology I used for my findings

Duke University is my target.

Now first of all start with Google Dorks & always start with these dorks

site:*.duke.edu inurl:/login

Using this dork you’ll be able to get all those login panels of duke university.

And I found my target from where I have to start my Xss Hunting….

I discovered a Forget password functionality there is another function which is called Account Lookup sometimes forget pwd functionality is not properly working whereas the Account Lookup function will properly be worked.

So the Account Lookup function asks me to Enter the Legal First/Given Name, Legal Last/Family Name & Birth Year.

  1. Then I entered xss<> into Legal First/Given Name & Legal Last/Family Name.
Here as you can see the GIven Name reflected in my response body.

2. After sending the request my Given Name: xss<> reflected into my response body without sanitizing properly.

3. Now I crafted a script payload and injected it into the Given Name parameter and I got a poped-up.

Reported this flaw and they multiple times recognized

Youtube Video: https://youtu.be/bpPcd9OrnZo

Thanks for taking the time to read my write-up and share it with your friends, Like & Follow for more updates.

Follow me:

Instagram

Twitter

Facebook

LinkedIn

--

--

--

SECURITY ANALYST | SECURITY RESEARCHER | ACK. BY APPLE, MICROSOFT, SAMSUNG, SOUNDCLOUD, ACCENTURE, TAKEAWAY & MANY MORE | R&D IN BLOCKCHAIN TECH | B.TECH IN CSE

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing: Liquidity Farming V1

Ignition: APWine (APW) Token Reactor Deposits Now Live

THE BULLET POINTS OF ASSURE

CoinTiger X METAMUSK is officially launched by CoinTiger!

Bcrypt, not the same as Crypto

SmartPlaces partners with Ocean Protocol to unlock data monetization for Web3 social interaction…

LogonBox Free WireGuard VPN Virtual Appliance

Announcement: Ceres Second Round Testing Airdrop Program (TAP)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Amit Kumar Biswas @Amitlt2

Amit Kumar Biswas @Amitlt2

SECURITY ANALYST | SECURITY RESEARCHER | ACK. BY APPLE, MICROSOFT, SAMSUNG, SOUNDCLOUD, ACCENTURE, TAKEAWAY & MANY MORE | R&D IN BLOCKCHAIN TECH | B.TECH IN CSE

More from Medium

Stumbling into the bug of another

Remote Code Execution Web Application Vulnerability : Prevention Part

How I Made The BBC Hall Of Fame 3 Times

XSS | HTML Injection and File Upload Bypass in HUAWEI Subdomain