Week-3 Cybersecurity Internship at Cyber Leelawat

Shubham Solanki

Introduction

This week marked a shift from basic reconnaissance to real-world web application security testing.

Web Application Bug Hunting is not about running tools blindly. It's about understanding how a web application processes input, identifying weak points, and then exploiting those weaknesses in a controlled and ethical way.

During Week-3 of my Cyber Security Internship at Cyber Leelawat, I focused on:

  • Identifying client-side vulnerabilities
  • Analyzing server responses
  • Exploiting input handling flaws
  • Understanding the real impact of vulnerabilities

Unlike previous weeks, this phase required manual thinking, logic, and creativity — not just tools.

Tools & Platforms Used

  • Burp Suite → Intercepting and modifying HTTP requests
  • TryHackMe (XSS Labs) → Learning payload crafting
  • Practice environments like PortSwigger labs / Altoro Mutual

These tools helped simulate real-world bug hunting scenarios.

1. Cross-Site Scripting (XSS)

XSS is one of the most common and dangerous web vulnerabilities. It allows attackers to execute JavaScript in a victim's browser.

A. Reflected XSS

What Happened

The application failed to sanitize user input in the search parameter.

Proof of Concept

<script>alert(1)</script>

When injected into the search field, it triggered a browser alert — confirming execution.

Why This is Serious

This is not just a popup. An attacker can:

  • Steal session cookies
  • Hijack user accounts
  • Redirect users to malicious sites

Fix

  • Apply output encoding
  • Convert << and >>
  • Never render raw user input

B. Stored XSS

What Happened

The application allowed scripts to be stored in the comment section.

Proof of Concept

A malicious script was injected into a comment, which executed automatically for every user visiting the page.

Why This is Worse

Stored XSS is more dangerous than reflected XSS because:

  • It persists on the server
  • It affects every user
  • No interaction required after injection

Fix

  • Strict input validation
  • Output encoding
  • Implement Content Security Policy (CSP)

XSS Training (TryHackMe)

I completed hands-on labs focused on:

  • Payload crafting
  • Context-based injection
  • Bypassing filters

This helped move from basic payloads → real attack logic.

2. Information Disclosure

Most beginners ignore this. That's a mistake.

Information disclosure is often the starting point of serious attacks.

A. Error Message Disclosure

What Happened

The application returned detailed error messages when invalid input was passed.

Example:

  • Java exceptions
  • Backend stack traces

What It Revealed

  • Backend language: Java
  • Database: PostgreSQL
  • Internal code behavior

Why This is Dangerous

Attackers use this information to:

  • Craft targeted payloads
  • Identify weak endpoints
  • Develop advanced exploits

Fix

  • Show generic error messages to users
  • Log technical details internally only

B. Source Code Disclosure (Critical)

What Happened

By analyzing robots.txt, a hidden directory was found:

/backup

Inside it, sensitive files were exposed.

What Was Found

  • Java source code
  • Hardcoded database credentials

Example:

username: postgres  
password: i05cpwgsipai0to3gorxvt0qj98m7d1a

Why This is Critical

This is not a "bug" — this is a complete security failure.

An attacker can:

  • Directly access the database
  • Modify data
  • Fully compromise the system

Fix

  • Remove backup files from public directories
  • Disable directory listing
  • Never store credentials in source code

3. HTML Injection

This is often underestimated — but it's still dangerous.

Reflected HTML Injection

What Happened

The application rendered HTML input directly into the page.

Proof of Concept

<h1>Hacked by Shubham</h1>

The page displayed a large heading instead of plain text.

Impact

  • Website defacement
  • Fake login forms (phishing)
  • Malicious links injection

Fix

  • Escape all user input
  • Use secure templating engines

What Actually Matters (Hard Truth)

Most beginners think:

"I found XSS = I'm a hacker"

That's wrong.

The real value is:

  • Can you chain vulnerabilities?
  • Can you explain business impact?
  • Can you go from bug → real damage?

This week exposed that gap clearly.

Key Skills Gained

  • Intercepting and modifying HTTP requests using Burp Suite
  • Identifying hidden files via robots.txt
  • Exploiting XSS and HTML Injection
  • Understanding real-world impact of vulnerabilities
  • Writing proper security reports with mitigation

Conclusion

Week 3 was the point where things became real.

Instead of just scanning and observing, I:

  • Exploited vulnerabilities
  • Understood how applications break

Learned how small mistakes lead to major security risks

This stage is where cybersecurity shifts from theory → practical attack thinking.

And the reality is simple:

Most applications are not secure because developers trust user input more than they should.