E-mail Template — HTML Code Injection

3 years ago 185
BOOK THIS SPACE FOR AD
ARTICLE AD

Ignatius Michael

This is a story of a vulnerability discovered in a land far FAR away. With my part-time teaching gig coming to an end, I find myself with more time to spend during the weekend. On Friday 23rd of April 2021, I decided to start cracking lacking and went happy hacking — that sounds lame. I went to my untouched H1 (hackerone) profile and picked a random program to join.

This issue was triaged and indeed is a dupe — sad… very sad.

The application — first look, nothing too crazy, just an application where customers can navigate around to see what this company is all about, containing sign in and sign up buttons, etc. Then, I discovered a bright <random coloured> button popped up

“Click me to be wait-listed in our program” (Message has been altered to avoid unintentional irresponsible disclosure)

I clicked on it and the button led me to a page asking for my name and e-mail. I have two e-mails I used for this bounty, the first e-mail was used to see what what the “confirmation” e-mail and requests look like on a regular workflow. To-not-my surprise, the request contains a “POST” method with JSON “name” value as “Bugcrowdme2” (please don’t ask why I used this name even though I was doing an H1 program). Checking my e-mail, this is what I received!

What would happen if I try to inject an HTML <a> tag, would it get rendered?

I followed the application’s regular workflow again, however, this time I entered the following payload as “name”. Using GUI did not work since it has client-side checking mechanism, so I had to enter “random text”, intercept it with BurpSuite, and entered this payload which gave me a 400 error and some “parsing” issue with JSON

<a href=”<URL>”>bugcrowdme2</a>

With a simple tweak to the payload, I was able to inject the following payload onto the “name” field.

Once the request is forwarded, sure enough — I got the following e-mail on my second testing account. You can see that the “name” is now hyperlinked to google.ca (you can see this if you hover over your name with the cursor)

Impact: Attackers could use this to perform phishing attack, leading legitimate customers to an attacker-controlled domain.

Read Entire Article