How You Can Earned €150 in 2 Minutes
How I Earned €150 in 2 Minutes | HTML injection in email
Introduction :
Hello all, hope you’re OK. Our journey today is about how I found HTML Injections in email a bug bounty program in just a few minutes with a cool technique. Let’s begin and call our target example.com
What is HTML Injection?
1-HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.
2-HTML injection is a vulnerability where an application accepts user input and then embeds the input into HTML. A malicious user can inject HTML through the user input so that their malicious HTML is embedded into the overall HTML generated by the application.
Steps to Reproduce :
1- Navigate to https://www.example.com
2- I can see that feedback pop-up on this website.
3- Fill the form and enter the HTML payload in feedback column and enter the victim email. click on ‘send’ button.
Payload ; <img src=”https://static.wikia.nocookie.net/mrbean/images/4/4b/Mr_beans_holiday_ver2.jpg">
4- Check Email inbox, HTML tag will be executed.
And Boom !!
Serious Vulnerability :
~ Abusing other users
~ Defacing
~ Phishing
Impact :
HTML injection, Phishing attacks This vulnerability can lead to the reformatting/editing of emails from an official "Target official" email address, which can be used in targeted phishing attacks.This could lead to users being tricked into giving logins away to malicious attackers.Perhaps an attacker using this type of vulnerability. Chances of sending 18+ images are very high. Misconceptions about a company’s name can have an impact on people.
POC LINK : https://youtu.be/1Uvy-Jb6F1I
Resolutions :
Sanitizing and validating inputs is usually the first layer of defense. Sanitizing consists of removing any unsafe character from user inputs, and validating will check if the data is in the expected format and type.
Comments