I wasn't trying to "hack" anything.
I was just exploring how a website handled input… specifically a search box. Something we all use without thinking twice.
But one small observation changed everything.
Whatever I typed into the search field… the application reflected it back exactly as it was.
No filtering. No changes.
That's when the question hit me:
"What if the input isn't just text?"
The moment it clicked
I tested with a controlled input — and the browser executed it.
Not as text. As code.
That confirmed it: A reflected XSS vulnerability
At first glance, it looks simple.
But here's the real problem:
An attacker could craft a malicious link and share it with a victim. The moment the victim opens it, the injected script runs in their browser.
That opens the door to:
- Phishing redirection
- User deception
- Client-side attacks
All from something as basic as a search feature.
What I did next ?
Instead of going further, I followed responsible disclosure.
I reported the issue to the National Critical Information Infrastructure Protection Centre (NCIIPC)
The report was acknowledged and forwarded to the concerned team.
What this taught me
This wasn't just about finding a bug.
It changed how I look at systems:
- Small features can hide real vulnerabilities
- Input validation is often underestimated
- Impact matters more than the bug itself
- Responsible disclosure is part of the process
That day, I didn't just find a vulnerability.
I realized how easily trust in a system can be broken — and how important it is to handle that responsibility the right way.
This is just the beginning.