How I Found HTML Injection?

2 weeks ago 30
BOOK THIS SPACE FOR AD
ARTICLE AD

Raccoon

Hello Hackers,

The target was a web application and it’s activity was about traveling and booking flights tickets. There was a feature that enables you to make a trip and send an invitations to another users to be in the same trip with you. You have to enter user’s email and a message to send it to the user’s email. I tried to enter and HTML code in the message input which creates a text says “ Click The Button” with <h1> style in HTML and a button that redirects to bing.com, So it was like that.

After that i sent this to the victim’s email and the code was fired

The Button is under the mouse cursor. I know that it’s small

On clicking that button the victim will be redirected to bing.com as i programmed.

Impact

This bug leads to ATO as The Attacker can exploit this by making fake button to join the trip and when the victim clicks that button he will be redirected to a phishing page or any malicious site and remember that the email was by the company so it will be trustful and the victim won’t suspect.

Hope you learned something new ❤

Read Entire Article