How HTML Injection in email got me my first BOUNTY!

Hello my fellow security researchers and bug bounty hunters. Today I want to share with you how I got my first bounty. A little bit info about me,

My name is Vedant, I’m a cyber security enthusiast and a bug bounty hunter. I am learning about bug bounty and web application hacking for about 4 months. And I love what I do.

Now let’s understand the bug.

Little bit about the target:-

So our target name is redacted.com(It’s a private program and bug is not fixed yet so I’m calling it redacted.com) By using this site we can provide courier services. We can register as a company and hire other people using invites.

The BUG:-

So as always I started to do some recon on the site and just started surfing the site as any normal user would do. After some time I signed up for the site and now I was prompted to enter my company details. So I filled all the necessary details such as number of employees, company address, name etc. I thought why not enter HTML injection payload in company name field so I entered basic HTML injection payload.

Payload :- <a href=http://test.com>YOCLICKTHIS</a>

And after that I signed up and the site redacted me to the dashboard page and now I was expecting to see my HTML payload triggered but I was disappointed as my payload didn’t work.

After some time I started to look for other functionalities to find something else. In company settings there was a feature to invite other users to work for my company so I entered my other mail id and when I opened the mail I was surprised.. My HTML injection payload worked! I saw my ‘a’ tag got successfully executed. I quickly made a POC and wrote a good report and sent to the company.

What’s the impact?

As HTML injection worked in email an attacker can trick victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. Attacker could also use this for phishing, all this will surely cause some damage to victim.

After 2 days I got response from them saying ‘Thank you for reporting this issue and we would like to reward you for your finding’ and they rewarded me with INR 5000 .

Getting first bounty is very great feeling. Thank you Infosec community for sharing the knowledge. If you have any doubts, you can contact me here .

I hope you learned something new reading this. Thank you so much for reading. Have a great day!