Reflected XSS on Byjus(My first bug)

Around a year back, schools had started to implement an online mode of learning. I had to complete my chemistry assignment and was too lazy to study for it. That’s why I went to byjus.com, an Indian ed-tech startup to look for answers to the question. The message on the placeholder of the search tab was extremely weird(They don’t have that on the search tab anymore but they do have it on the comment box, maybe try for Stored XSS 😉)

LOL! 😂

What is a hacker going to do now?

So I started to investigate. I started by entering a word in the query that I know is not on the website already. I use ‘mysplxssbug’. Once I get the results, I look at the source code and see where it gets reflected.

(1)Entering my query
(2)Looking for the same word

It gets reflected on 3 places on the site and on appending special characters to the query(eg:- ><’”;), it gets URL encoded on all the places except on the title.

(3)Payload not encoded in the title section

As you can see, the payload isn’t encoded but it doesn't get executed either. That is because the image tag doesn't work inside the title tag. So all I had to do was balance it.

New payload:- myfirstxssbug</title><img src=x onerror=alert(1)>

(4)Works!
Yay

That is how I found my first bug thanks to my chemistry class. And also please don’t expect visitors to follow instructions on the placeholders, some might be hackers and won’t hesitate to experiment. Writing a warning like this will just get more people to tinker with it(चोर की दाढ़ी मैं तिनका).

SECURITY!

Since then I have found 9 more bugs. I will share write-ups on all of them in due time.

Thank you for reading.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store