HTML injection in email
Hello Hunter,
I recently discovered a vulnerability that I’d like to share with you. Today, we conducted a hunt as part of a responsible disclosure program on a website called wur.nl.
We began by performing subdomain reconnaissance. Using the Sublist3r tool, we identified subdomains and saved them in a list.txt file.
- Sublist3r Tool: Sublist3r GitHub Repository
Next, we used the Aquatone tool to analyze our list of subdomains.
- Aquatone Tool: Aquatone GitHub Repository
The following command was executed:
cat list.txt | httpx silent | aquatone -ports 80,433
This command reads URLs from list.txt, checks their availability using httpx, and then uses aquatone to visualize the results for ports 80 and 433. The purpose is likely to assess the web server infrastructure associated with the URLs in the file.
I always prefer domains that offer multiple functionalities. For this demonstration, I chose a domain with various features and explored them using the BurpSuite proxy tool as a normal user:
- URL : deelnemersdatabase.hru.wur.nl
During our exploration, I discovered an HTML injection vulnerability in the email functionality.
What is HTML Injection?
- HTML Injection is a security vulnerability that allows an attacker to inject HTML code into web pages viewed by other users.
- In the context of this vulnerability, an application accepts user input and then embeds that input into HTML. A malicious user can inject HTML through the input, causing their code to be embedded into the overall HTML generated by the application.
Steps to Reproduce:
- Open URL and click on Register as participant
2. Fill the registration form and enter the HTML payload in the “Username” field and enter the victim email. click on the “Save” button.
3. Check Email inbox, HTML tag will be executed.
Serious Vulnerabilities:
- Abusing other users
- Defacing
- Phishing
Impact :
HTML injection, Phishing attacks This vulnerability allows for the reformatting and altering of emails sent from an official “Target official” email address, which can then be used in targeted phishing attacks. This could lead to users being duped into disclosing login information to malicious attackers. Perhaps an attacker is using this type of vulnerability. The chances of sending 18+ photos are really high. Misconceptions regarding a company’s name might affect people.
Got a HOF for this bug
