Root > Articles > Hacks >

Owning your graduation

Feb 13, 2022 • Yousef Amar • 1 min read

Here's a quick one to motivate myself to write more. My PhD graduation ceremony is next week (yes, years late thanks to covid and being late in general). My alma mater uses for booking gowns and photography etc.

This page looks old (the design agency that built it has a 2004 copyright on their homepage) and seems very rickety. As I was making an order, I noticed that the text in an info box was in the URL as a parameter. Naturally I tried modifying it, and lo and behold: was here! :)

Could it be that... yes it could: was here! :)<script>alert('My graduation')</script>

This is a website that takes payments, so I'll let you use your imagination on how someone malicious can get creative with this and intercept payments simply by sending unsuspecting victims a link.

Disclosure timeline