Got Easiest Bounty with HTML injection via email confirmation!

Shaurya Sharma
Mar 11, 2020 · 2 min read

HTML injection is an attack very similar to Cross-site Scripting (XSS), whereas in XSS the attacker can inject and execute Javascript code, in HTML injection attack it allows only the injection of certain HTML tags.

LET’S GO HUNTERS!!

  • I register on the site, with the name “Shaurya” surname “Sharma” email {xxxx@mail.com} Temp-Mail (Disposable Email)
  • After registration, comes a message asking the user to validate their account through an email confirmation.

“-Please Shaurya Sharma, validate your account through a link sent to xxxxx@mail [.] Com”

<h1> Email confirmation </h1>

<p> Hello Shaurya Sharma, here is the link to confirm your email.

http://xxxxxx.org.in/Login/id=8829234?q

</p>

We noticed that the site recorded the user’s name as HTML in the database, and now when requesting confirmation, the HTML injected by the user is able to break the original email sent by the system.

Testing HTML injection:

  • I created a new account, named ` ”> <img src = (Link/Location) `and surname test, then the site returns the answer:-

“Please“> <img src =” https://i.redd.it/l1yy7vaasqv31.jpg “> test, validate your account using a link sent to xxxxxx@mail [.] Com ”

OUTPUT >

Hello,

, here is the link to confirm your email http://xxxxxx.org.in/Login/id=8829234?q

DONE !! Now you can inject any malicious input/code in the “Name” field text box, ant the output is reflected in the confirmation email.

Impact Example-: In banking systems, it can be used to obtain information about the victim’s card or request some unusual payment.

KEEP HUNTING …

#CyberVerse #Togtherwehitharder #bugbounty #webapplication

Cyber Verse

You are under survillence.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store