HTML Injection in Mail BOX

Intro : Hey Hackers! Welcome to my new Article on Bug Hunting. Today I will show you how do I find an HTML Injection in Mail Box Via Username on Hackerone. So let’s jump into it.

Let’s Assume the domain is portal.domain.com. I registered to an Account and Logged in.

In my Profile Settings I changed my name with some HTML and Javascript Code : <h1>test</h1> and save it but Nothing Happened.

Now I start looking other Functions and I found found an Option to send an Invitation Email to a User to Join my Project. So I type a Valid Email and sent it. And I saw the Hack suddenly.

When I check the Email Box I found HTML Injected code replicate Here through my name.

And after removing the HTML Tag I send an Invitation Mail again and I saw there is no Changes.

In this way I found this Vulnerability. This helps an Attacker to send Victim HTML Injected code in their Mail to redirect them to a Malicious Site. After that I report it in Hackerone.

So that’s it.

THANKS FOR RAEDING!

If you like it don’t forget to Like it and Follow me for more Articles.

Happy Hacking~