.png)
2 months ago
31 BOOK THIS SPACE FOR AD
ARTICLE ADHello readers how are you, i hope all of you are doing great.
I am back with another writeup for the community:
I was just searching for private programs for hyperlink injection on google after choosing a random program i was just click on blog then will reached at https://target.com/blog
scroll down and see that there was a submit form having name and email field with the help of that we can subscribe to the platform for new blog posts notifications, then i immidiately injected html and ssti payload
{{8*8}}/”><A HREF=bing.com>HELLO</A”>
in name field and my email in email field then “click keep me updated button” yes i received an email but some malicious characters removed from the payload and some were cached as it is
then i again went to submit form and injected simple hyper link payload like “ sign in here evil.com and get 100$ bonus” in name field and click the submit button and went to my inbox and my hyper link was successfully injected
I was surprised, but not 100% sure about bounty or acceptance of bug, because some programs dont take serious this bug, i was reported and forget it on 14 AUG 24
on 28 AUG 24 morning i recieved an email
“Hello.
I hope you’re well.
Your report has been verified and has been awarded with low severity.
Please send us a PayPal invoice amounting to 50.00 USD
This will be the assigned security reference for this issue.
Again, congratulations and happy hunting.”
Thats it.
Thank you for the reading
will see you soon. in sha Allah..
Till then take care
Bengali (Bangladesh) · 
English (United States) ·