Around a year back, schools had started to implement an online mode of learning. I had to complete my chemistry assignment and was too lazy to study for it. That’s why I went to byjus.com, an Indian ed-tech startup to look for answers to the question. The message on the placeholder of the search tab was extremely weird(They don’t have that on the search tab anymore but they do have it on the comment box, maybe try for Stored XSS 😉)
What is a hacker going to do now?
So I started to investigate. I started by entering a word in the query that I know is not on the website already. I use ‘mysplxssbug’. Once I get the results, I look at the source code and see where it gets reflected.
It gets reflected on 3 places on the site and on appending special characters to the query(eg:- ><’”;), it gets URL encoded on all the places except on the title.
As you can see, the payload isn’t encoded but it doesn't get executed either. That is because the image tag doesn't work inside the title tag. So all I had to do was balance it.
New payload:- myfirstxssbug</title><img src=x onerror=alert(1)>
That is how I found my first bug thanks to my chemistry class. And also please don’t expect visitors to follow instructions on the placeholders, some might be hackers and won’t hesitate to experiment. Writing a warning like this will just get more people to tinker with it(चोर की दाढ़ी मैं तिनका).
Since then I have found 9 more bugs. I will share write-ups on all of them in due time.
Thank you for reading.
