.png)
6 months ago
63 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello Today
I will share my latest my finding iframe injection in a chat bot which allows for htmli in emails
I was finding target to hunt I notice that I have one Private program so I decide to hunt on and I notice that the target as one one scope the main domain
app.redacted.comso I Visit the target app.redacted.com and notice there is only chatbot
Then I tried to input some XSS payloads none of them work so I take a look into the web source there is code there is also nothing Than I was trying to put <a> href injection but by mistake a Just input the only url and then I notice that the chatbot was display the url like a iframe tag
Then I tried to input some HTMLi payload in it none of them work but just after I input a jpg file link from webpage and it displaying it
So after this chatbot ask for email I give him my email and it send me support details after some time I received my email and boom I see that the google link and the jpg file in preview into my emails so I reported this bug and after 2 days I got response from triage team
The bug was reported by another researcher 2 years ago but still the bug not fix
Thank you !!
My Twitter handle
Bengali (Bangladesh) · 
English (United States) ·