How I was able to Hack Adhaar Card Official Website ?
Hello Amazing people out there ,
I am Parshwa Bhavsar as this blog is all about , How I can able to find #XSS by bypassing Firewall (W.A.F.)
So this is all about January 2021 when I am hunting on Indian Govt. websites.
I reported 150+ Web Application Vulnerabilities to Indian Govt. and got my name in NCIIPC NewsLetter. (April 2021)
I was in Top-15 Security Researcher from all over the India in the month of April 2021.
So , Move to the topic. I have thought to find my favourite Vulnerability XSS in very important web application or has some big amount of daily visiters.
I researched somethings and came to know about the UIDAI website which is official website for any type of work related to Adhaar card.
After some recon and gathering end-points , I found a page where we can request for printing the PVC Adhaar card. This page has basically 3 input fields : 1. Adhaar number , 2. Enter Security Code , 3. Enter OTP
Here , The Adhaar Number field is Vulnerable to XSS.
I have check the request and response and came to know that It is Blocking the JavaScript execution. I guess the WAF rules has been set in that way.
But I can inject simple HTML Tags and was successfully executing at the page.
At the end, I have tried following payload and it was successfully executed.
Payload :
“><marquee onmouseover=alert(document.cookie)>Hover Me</marquee>
The Vulnerability has been patched now.
It is so satisfying to secure Indian Cyber Space.
Impact :-
The impact of an exploited XSS vulnerability on a web application varies a lot. It ranges from user’s Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other security vulnerabilities.
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. Amongst other things, the attacker can:
- Perform any action within the application that the user can perform.
- View any information that the user is able to view.
- Modify any information that the user is able to modify.
- Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
I hope you enjoyed the blog. I will continue to serve my nation :)
