.png)
2 months ago
29 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello guys today lets learn how to find another easy bug called HTML INJECTION. This can be your first valid bug if you are exhausted by submitting low severity or duplicate vulnerabilities.
HTML injection is a vulnerability that allows an attacker to insert malicious HTML code into a web page.
Step1: Go to the account creating page of the target you are hunting.
Step2: Now use the payload <h1>Hacked</h1><br><br> on the name first name field and second name field and enter rest of the details and click submit.
IF YOU GOT THE EMAIL WITH THE HTML PAYLOAD IS TRIGGERED THEN THEIR IS A HTML INJECTION VULNERABILITY.
IN THE EXAMPLE BELOW YOU CAN SEE THE WHERE THE PAYLOAD IS GETTING TRIGGERED ON THE RECEIVED EMAIL.
NOW SEE THE NEXT EXAMPLE WHERE THE PAYLOAD IS NOT TRIGGERING, IN THE BELOW CASE THEIR IS NO HTML INJECTION IS FOUND.
The payload we used is injecting the word Hacked in h1 tag and the <br> is giving space you can see in the image one the word hacked is in h1 tag and the br is also triggered but in the second image the payload is directly shown in the email without triggering the payload.
1. Defame the company
2. Redirect users to malicious websites by using malicious url as payload.
3. Attackers can redirect users to a fake website and stole the credentials.
Don’t allow special characters on the input fields especially in the first and last name fields.
I hope you all get an idea to find this bug, their are some other ways to find this also. If the website is not sending any email after registration try password reset if the payload triggered in the password reset email then you can report this. If you have any doubts ask me in the comments I am happy to help.
HAPPY HUNTING…….
#bugbounty #hacking #cybersecurity #ethicalhacking #infosec #kalilinux #pentesting #linux #informationsecurity #hackers #cybercrime #exploit #ransomware #malware #hackerman #cyberattack #programming #security #ethicalhacker #coding #python #cybersecurityawareness #metasploit #networksecurity #termux #hackingtools #ceh #hackthebox #javascript #cybersec #hackertools #htmlinjection
Bengali (Bangladesh) · 
English (United States) ·