HTML Injection to Mass Phishing
Introduction
Hi fellow hackers!
HTML Injection vulnerabilities may not initially appear as severe as SQL Injection or Remote Code Execution, but their potential impact can be just as devastating when exploited creatively. In this blog, I will walk you through a real-world scenario where I discovered an HTML Injection vulnerability in the “Invite User” functionality of an application. This vulnerability could be weaponized to conduct mass phishing campaigns by redirecting users to malicious websites.
The Discovery Process
In the application I was testing, the vulnerability existed in the “Add new user” feature. Here is how the functionality worked:
>> An admin or existing user could invite new users to the application by entering their email address, username, password etc.
>> The application would send an invitation email to the entered address containing the username and the password.
I remember some blogs I had read in the past about HTML Injection so I thought why not try it here.
Quickly I went to /user/new to add a new user(Victim User).
There I have filled all the details of newly added victim user like Name, Email, Username, Password etc.
Intercepted the request with Burp Suite and change the content of password field in the request with a HTML injection payload.
<a href=’https://google.com’>Click Here</a>
I sent the request and opened the added victim user’s email inbox.
HTML Injection Payload Works!!!
As we can observe the hyperlink is created in the password field saying “Click Here”.
On clicking the link the user is successfully redirected to google.com.
The Impact
When the invited user received the email and clicked on the malicious link, they were redirected to my phishing site instead of the legitimate application. This phishing site could then capture sensitive information such as login credentials or other personal details.
Since there is no limitation on adding users, this vulnerability could lead to mass level phishing.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
If you guys like this writeup and learned something valuable then do hit the clap 👏 X 50 times.
