HTML Injection inside Email body- The First BUG I hunted down in a Bug Bounty Platform!
Hola Amigo!!
Today, I got my first Bug at Hackerone which is really interesting for me, and hope it will be the same for you too!
I observed and exploited this Bug in an engagement (Web app Penetration Testing) at my workplace and thought of looking for it in an application that I was testing in Hackerone, and from the title, it should be obvious to you that indeed it worked.
So before talking about the vulnerability, I want you to know this program doesn’t allow disclosure of the Bug, so let the domain be target.com.
Vulnerable Feature:
The target.com has a feature that allows the user to sell used electronics, including mobile phones, Gaming Consoles, Keyboards, Headphones, etc.
The application prompts the user to input some details regarding the product they are interested in selling and, use this to estimate the amount the user could get, if they are ready to sell this product in a nearby outlet.
The vulnerability arises in the place where the application calculates and sends the estimate to the user via email.
The actual issues with the feature:
This feature had 2 issues that allowed successful exploitation, and they are
The web application had no control over the email entered to send the estimate, allowing the user to enter any email id he/she wants and receive the email from target.com.
The other issue is that the application takes in product information from the user and, no sanitization takes place before embedding it into the Email body, resulting in HTML Injection.
Exploitation and Impact:
Combining the above, it is possible for an attacker to craft a malicious email that can be used in social-engineering attacks and, deliver them using the target.com mail servers and their official email ID.
So I entered some random information about the product to sell and captured the request using Burp Proxy which is responsible for the generation of email, and Injected HTML tags into parameters that get reflected in the email body.
And voila!!!! The HTML tags injected got rendered in the Email Body sent to the victim (in this case it was my personal email).
I crafted an email with an anchor tag and used Burp Collaborator URL to demonstrate this attack.
But a malicious attacker could use the same trick to phish or install any malware on the victim’s machine that too using the target.com’s mail servers.
This could cause the company a huge reputational loss and, if they use any paid service to generate such emails, then could even cause a financial loss when done on large scale.
So my friend, if you ever come across such a feature in an application, do look for this issue and enjoy hunting!
