Bug Type: HTML injection in confirmation Email !

4 months ago 20

Vaibhav Kumar Srivastava

Hey Everyone! This is about another low-hanging fruit (I’m still not a pro) in one of the web applications listed by OpenBugbounty.

For those of you who don’t know about OpenBugBounty, it is a responsible disclosure platform that allows independent security researchers to report XSS and similar security vulnerabilities on any website they discover using non-intrusive security testing techniques (Copied this line from Wikipedia).

Let’s start with the findings!

First thing, I always try to explore the mind-map of any website as a naive user. Then I registered myself in the web application by injecting the HTML and XSS payload in all possible input fields (First name, last name, etc.)

The web application (let’s name it as vamp.com ) sent a confirmation email on the registered email address but allowed me to explore the web application so I ignored the confirmation email for that moment and checked all the possible pages where the input field is appearing to see if the payload is getting reflected or not. Unfortunately, no reflection of the HTML payload or popup for XSS occurred on any of the pages.

It was already 3 AM, so I thought I would continue after a good sleep. The very first thing I do in the morning is to check my emails and when I was scrolling, my eyes suddenly stopped on the same confirmation email received from the “vamp.com”. I opened the email and saw my name in Bold letters (Figure 1), was that functionality, or was it the reflection of payload ??

Fig 1. HTML payload reflecting in email

I hopped on my system and registered with a different email id this time using a different payload for the field first name and last name. Guess what! The payload was reflecting as expected (Figure 2)

Fig 2. HTML payload reflecting in email

Steps to Reproduce:

Step 1: Register on web application and try to inject the combination of HTML and XSS payload in all the possible input fields (Figure 3)

Fig 3. Registration page

Fig 4. HTML payload

Step 2: Check the received confirmation E-mail if the payload is reflecting or not as most of the time the confirmation Email fetch the name from First name and last name input field. (Example: Hey ! First name last name)

Thanks a lot for reading! Stay Curious Stay protected !

Feel free to get connected ===>

YouTube channel: https://www.youtube.com/channel/UCYm4DMbIqHaOWhJh5JV4Bxw

LinkedIn: https://www.linkedin.com/in/vaibhav-kumar-srivastava-378742a9/

Read Entire Article