Alhamdulillah !!
ٱلْحَمْدُ لِلَّٰهِ
This is the story about getting my first Hall Of Fame. And I got it in United Nations. 🎉🎊
After recon process, I started manual testing on each subdomains. And when I was visiting a subdomain " centre.humdata.org " I found a search functionality.
So, first thing came in my mind to abuse that functionality for finding vulnerabilities. As far as I know, these search boxes can be vulnerable to 3/4 things.
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Client Side Template Injection (CSTI)
- Server Side Template Injection (SSTI)
So, I put my magic payload to find these three vulnerabilities with just a single hit.
- ' ----> is for testing SQL Injection
- "><svg/onload=prompt(5);> ----> is for testing Cross Site Scripting vulnerability.
- {{7*7}} ----> is for testing SSTI & CSTI.
And I got an popup. 🥳 Simplest XSS that lead me towards Hall Of Frame in United Nations.
After reporting the vulnerability they triaged that and after almost one month they fixed that vulnerability and added my name in the United Nations Information Security Hall Of Frame.
📝 Reported at : January 14, 2022
👨🔧 Fixed at : February 8, 2022
I am really happy to work with United Nations and secure them.
My first Hall Of Fame. 1st HOF in United Nations ( @UN, @humdata ) as well as in my life.
— Md. Shahriar Alam Shaon 🇧🇩 (@0xshahriar) February 11, 2022
Though I got the mail 💌 3 days ago from OICT Security Team. I just saw that. So, thought to share my happiness with you. 🎊🎉https://t.co/e4yY7PM5MD#0xshahriar #bugbountylife pic.twitter.com/7S2WrCzL23
You can check the POC video from here ,
./keep_hacking_the_world 🥳🎊🎉🐞