Simple HTML Injection to $250

Hi everyone, It’s my first blog about bug bounty so today I’m going to share that how I earned $250 with simple HTML Injection. I hope you’ll enjoy it!

Let me introduce myself first. My name is Chaitanya and I’m learning about web app testing from past 6 months. I would like to thank Vedant Tekale for introducing me to this field.

Let’s get started…

So first of all I’ll tell you lil’bit about the target. I received a private invitation on HackerOne which is having a large scope but only the main domains are in scope. Whenever I test main domains, I don’t go for the main functionalities like signup/signin, reset password etc. I look for the endpoints like contact us, newsletters, support etc. Let’s suppose the site as redacted.com

It’s time to get into the bug…

While surfing on the site I came across the contact us page so there are lot of options for getting in touch with the company but one of them was the live chat support. So when I clicked, it opened the chat Box so I filled out the main stuff like Name and Email and it took me to the chatting page where we can talk with their support team.

I typed some random words. Suddenly I noticed that there is an option for getting the copy of our chat with the support. So I clicked on it and ended the chat session. I went to mail inbox just to verify so I got the exact copy of my chat. Again I followed the same process as it is and instead of random words I entered the XSS paylaod and checked the inbox. As I opened the inbox it get triggered, because it was a temporary mail site. So I’m like

Immediately I done the same process but this time I entered my email and entered the image payload as
<img src=”https://test.com/mrbean.jpg"> and went to the inbox and yeah I got this

I quickly made PoC and reported. Next day in the morning I got response as triaged and on the same day in the afternoon I got rewarded with $250.

Impact

By this way attacker can enter anyone's email to send this kind of mails which may contains malicious links, unwanted phishing stuff, attacker can insert some pictures which may result into bad reputation of company as the email is coming directly from the company.

For a beginner like me it's challenging to find this bug on main domain as it was a big program and lot’s of reports were resolved.

I hope you enjoyed this. Thank you so much for taking time to read this. You can get in touch with me here.

Have a great day ;)