Exposing HTML Injection:$500 Bounty (6/30DAYS)

I’m a security researcher, and I’ve taken on the challenge of explaining one bug bounty report every day for the next 30 days — 30 reports!

The goal is to make these reports easy to understand, share the cool stuff I learn along the way, and inspire others to dive into the world of bug bounties too. Whether you’re a pro or just curious, I hope you’ll find something interesting in this series.

I’ll also share useful tips at the end of each report to help you level up your bug-hunting game. Let’s get started!

Today’s Report: HTML Injection Vulnerability in Snapchat Newsroom

A researcher discovered an unauthenticated HTML injection vulnerability in the Newsroom section of Snapchat. The issue lies in the ?q= parameter of the search functionality, allowing attackers to inject arbitrary HTML code into the webpage.

The affected endpoint is:
https://newsroom.snap.com/[code_country]/search?q=