Finding Bug DMRC Reflected Xss and HTML Injection

Dear colleagues,

I am Hacker Halt, a cybersecurity researcher specializing in bug bounty hunting and red team engagements. Recently, I identified a vulnerability within the subdomain of dmrc.org, specifically a reflected XSS (Cross-Site Scripting) and HTML injection flaw within the GET parameter.

Today, I would like to elucidate the methodology behind uncovering such vulnerabilities on websites, which can result in recognition and rewards through bug bounty platforms and private programs.

It’s important to note that dmrc.org was selected as a random target to assess its security posture. The identified bug has since been addressed by dmrc.org, following my responsible disclosure.

Here’s a breakdown of how I identified this bug on the DMRC website:

Subdomains Analysis: Utilizing tools such as Gobuster, available at [https://github.com/OJ/gobuster], I probed for subdomains to comprehensively assess the attack surface.Discovery of Hidden Directories: Through enumeration techniques, including the use of wordlists such as SecLists [https://github.com/danielmiessler/SecLists], hidden directories were uncovered for further investigation.Identification of Vulnerable Parameters: Focused analysis on parameters within URLs revealed vulnerabilities, specifically in the GET parameter structure.Exploitation and Enumeration: Armed with knowledge of the vulnerability, I crafted payloads to exploit the identified XSS and HTML injection flaws, thereby illustrating the potential impact of the issue.

In summary, the identified vulnerability on https://intranet.dmrc.org/department/login/login.php?msg= allows for reflected XSS and HTML injection attacks. This flaw stems from inadequate input validation, enabling attackers to inject malicious scripts or HTML code into the search results page, potentially leading to various forms of exploitation including unauthorized data disclosure and session hijacking.

To reproduce the vulnerability, one can visit the following URLs:

https://intranet.dmrc.org/department/login/login.php?msg=<img src=x onerror=alert(document.cookie)>https://intranet.dmrc.org/department/login/login.php?msg=<script>alert(1)</script>

Upon execution, the injected JavaScript code will execute within the victim’s browser session.

Recommendations for remediation include implementing content-based escaping mechanisms for user inputs, particularly within parameters susceptible to injection attacks, such as the redirect parameter in this instance.

The impact of this vulnerability is significant, as it allows attackers to execute arbitrary JavaScript code within the context of the affected webpage.

Submitted by: Abhishek Aswal

Please refer to the accompanying proof-of-concept video for further clarification. https://youtu.be/ZqwDJ8YqW3Y?si=v75jk4zyusrdfO10