How I Bypass CSP that allow a iframe injection in a chat bot + HTML injection on emails

Hello Today

I will share my latest my finding iframe injection in a chat bot which allows for htmli in emails

I was finding target to hunt I notice that I have one Private program so I decide to hunt on and I notice that the target as one one scope the main domain

so I Visit the target app.redacted.com and notice there is only chatbot

Then I tried to input some XSS payloads none of them work so I take a look into the web source there is code there is also nothing Than I was trying to put <a> href injection but by mistake a Just input the only url and then I notice that the chatbot was display the url like a iframe tag

Then I tried to input some HTMLi payload in it none of them work but just after I input a jpg file link from webpage and it displaying it

So after this chatbot ask for email I give him my email and it send me support details after some time I received my email and boom I see that the google link and the jpg file in preview into my emails so I reported this bug and after 2 days I got response from triage team

The bug was reported by another researcher 2 years ago but still the bug not fix

Thank you !!

My Twitter handle