How I Offered Free 1 Lakh Rupees Through Government Website?
2021-10-23 19:53:20 Author: infosecwriteups.com(查看原文) 阅读量:23 收藏

Hey Hackers, It’s Me Krishnadev P Melevila, a 19-Year-old self-learned cyber security researcher.

Today I am going to write a report on a bug that I found on Assam website which leads to social engineering scope.

So let’s start,

The website is https://rtps.assam.gov.in/ which is maintained by National Informatics Center.

Steps to reproduce in attackers Point of view:

  1. Go to https://rtps.assam.gov.in/ and there you can see a search form like below

2. Enter this code to that search for and click search:

<a href="https://krishnadevpmelevila.com/Vulnerablity-Proof">Click to get Rs.100000/- from Assam government.</a>

3. Now we will get the window like below. That is we had successfully injected a link to the site

4. Now copy the URL of the page: https://rtps.assam.gov.in/site/search?service_name=%3Ca+href%3D%22https%3A%2F%2Fkrishnadevpmelevila.com%2FVulnerablity-Proof%22%3EClick+to+get+1+ Lakh+Rupees+from+Assam+government.%3C%2Fa%3E

5. That’s all needed to do social engineering successfully. But to increase the trust of the victim an attacker can use a Link Shortening service like Bitly and shorten the link like given below: https://bit.ly/3iXplds

6. Now when a victim clicks on that link it first goes to the Assam government website, There victim will see an offer like “Click here to get 1 lakh rupees from Assam government”(or as per the attacker writes), and as soon as the victim clicks on that link the victim will be redirected to a phishing page or any other malicious pages.

In this way, an attacker can defame the Assam government website and redirect the users to any malicious websites.

This vulnerability is now and patched by National Informatics Center on basis of my report On 13–10–2021 and now the HTML injection is not possible.

Don’t forget to follow me on medium and other social media.

My Instagram handle: https://instagram.com/krishnadev_p_melevila

My Twitter handle: https://twitter.com/Krishnadev_P_M

My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/

My cybersecurity course selling website: https://learn.nodeista.com/

My Personnel website: http://krishnadevpmelevila.com/


文章来源: https://infosecwriteups.com/how-i-offered-free-1-lakh-rupees-through-government-website-6c10e16130fc?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh