Hello Cyber Security Enthusiast. I’m back again with another article of XSS. In this article, I’ll explain how I got an unexpected XSS and How I was able to exploit it. Let’s start without any delay.

XSS (Cross-site Scripting) is a wonderful type of bug, Everyone like that cute popup. We can do so many things with it like CSRF, Open Redirection, SQLi, SSRF, XXE, HTMLi, etc. But exploiting it is not always easy. A lot of vulnerabilities are still missed every day because the wrong attack vector was used. In this article, I want to present how I was able to get Zero Day XSS in Railway Portal.

So, a few months ago after taking a little break, I was surfing Indian Government websites. I was normally checking what type of technologies they are using, programming languages, Updated or outdated versions of Servers, CMS, LMS, etc. Then I came across to IRCTC Portal. My Burpi ❤ was running in the background. I was just testing Input Validation in that portal. It was getting encoded whenever I enter HTML tags or any symbols. The server was encoding the user’s input. I tried to encode payload, breaking the syntax, closing tags, custom payloads, etc. and almost every possibility to get popup or Injection vulnerability (not brute forcing), But It won’t work.

After 10–15 minutes of testing, I saw that my Terminal IP was reflected down there. The first thing that came into my mind is to try to inject in User Agent, but no luck there, then I tried on Referer Header still did not work, then I tried different headers which are works for IP routing and we have also used it for bypass the rate limit.

X-Forwarded: foo>
X-Forwarded-By: foo>
X-Forwarded-For: foo>
X-Forwarded-For-Original: foo>
X-Forwarder-For: foo>
X-Forward-For: foo>
Forwarded-For: foo>
Forwarded-For-Ip: foo>
X-Custom-IP-Authorization: foo>
X-Originating-IP: foo>
X-Remote-IP: foo>
X-Remote-Addr: foo>

After trying these many headers, I checked responses one by one. And I got reflected input in response. That header was “X-Forwarded-For”. Whatever value I typed it was reflected in response as it is. Then I tried HTML tags and it was reflecting in response. Then I got HTML Injection, Open Redirection, and XSS (Cross-site Scripting).

As we know It was a portal so there was also mentioned version of it. So, I did some recon through Shodan and got 5 more domains that were using the same version of that portal. I tried the above method to inject XSS and I got all domains were vulnerable to this bug.

I quickly made detailed reports and sent those reports to concerned authorities. And they acknowledged my reports. That’s it, guys! Thanks for reading. See you next time. ‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎Till then Eat-Sleep-Hack-Repeat!