HTML Injection in email via fname field

Hello everyone ,
I’m Hossam Hamada, Today I would like to share with you one of my discoveries in HackerOne ’s program

Let’s say : https://example.com

The scope included a subdomain, represented as “x.example.com”

- When I accessed this subdomain and found a login page.
- I searched for a “Create Account” button but couldn’t find one.
- I guessed the endpoint for account creation, which was easy to find on the first attempt:

x.example.com/signup

Form Details:

The signup form included the following fields:
- First Name
- Last Name
- Email
- phone
- Company Name
- Password

Testing the Form:

- I filled out the form and, as usual, tried injecting HTML code into each input field.
- Upon clicking “Create Account,” the account was successfully created without any email verification or issues.
- I received an email with the content: “Hello + [First Name] + the site’s logo.”

HTML Injection Vulnerability:

- I noticed that the first name field was vulnerable to HTML injection. For example, when I tried `<h1>hossam</h1>`, it was rendered in the email as expected.

Further Exploration:

- I attempted to log in to check if the HTML code would be applied to the first name within the platform.
- However, I couldn’t log in, as it kept showing that the email or password was incorrect, despite the account being created.
- I suspect that the company manually confirms accounts before allowing logins. This is likely due to the company’s business model, which involves providing services to other companies. After a company contracts for the service, the company confirms the accounts, allowing users to log in.
- Therefore, the accounts I created are currently worthless as they won’t be confirmed, meaning I can’t use them.

Exploiting the Vulnerability:

- I reconsidered the HTML injection vulnerability in the first name field and thought about how it could be exploited.
- The email received after account creation simply contains “Hello + [First Name] + the site’s logo.” without any indication that an account was created. This means I could potentially exploit the vulnerability by rewriting the entire email using HTML injection, effectively controlling the content of any email sent.

Example Exploitation Scenario:

- Suppose your email is `user1@gmail.com`. I could register using your email and inject malicious HTML code into the first name field. For instance, the content could be something negative like “We wish you a bad day.”
- After account creation, this message would be sent to you from the company’s support email, potentially damaging the company’s reputation with potential clients.

Increasing the Impact:

- While the impact of this scenario is low, And it is usually not accepted because it does not affect the existing customers in the program , I thought of a similar scenario targeting existing customers already contracted with the company. In this case, any email they receive from the company’s support, authored by me, would be a significant issue with potentially severe consequences.

- The first idea was to create an account using an already registered email to trigger the email upon account creation.
- When I attempted to create an account with the same email, I received a message stating that the email already exists.
- Using Burp Suite to intercept the request, I noticed a parameter named “username” that was not present in the front-end form. This parameter had the same value as the email.
- I tried changing the username to a different value and resubmitted the request, which successfully created the account without any issues.

Conclusion:

- I discovered that it’s possible to create multiple accounts with the same email, provided the username is different. The system checks for uniqueness on the username, not the email.
- This allowed me to generate other ideas for potential vulnerabilities, but they all failed.

Successful Exploitation:

- The key point is that I can create an account with any email, regardless of whether it’s already registered in the system.
- If you are already registered, I can create an account with your email but a different username, injecting HTML code into the first name field.
- As a result, you would receive an email from the company’s support containing a message of my choosing.

Potential Impact:

- This vulnerability could significantly impact the company. An attacker could send inappropriate content to customers, potentially causing them to cancel their contracts with the company, damaging its reputation, and leading to customer loss.
- Additionally, phishing emails could be sent, and since they would appear to come from the company’s support email, customers might trust them, leading to potentially disastrous outcomes.

Thank you for Reading!

Happy Ethical Hacking ~