My Journey Finding HTML Injection Vulnerability in a popular British Accountancy platform
As a security enthusiast, I’ve always been fascinated by finding vulnerabilities in websites and web applications. I discovered a stored HTML injection vulnerability in popular British Accountancy platform, a popular web application that allows users to manage their finances.
This vulnerability allowed me to execute HTML code on the website, which could potentially harm users’ accounts and expose sensitive information. So, I decided to dig deeper and see if I could exploit this vulnerability.
Here’s what I did:
Step 1: Login with Random Credentials
To test the vulnerability, I created a new account on Accountancy platform using random credentials. This allowed me to access the website’s functionalities without using my personal information.
Step 2: Completed Registration Process
Once I had access to dashboard, I completed the registration process and verified my email address.
Step 3: Clicked on User Profile and Edited First and Last Name
Next, I clicked on my user profile and clicked on the “Edit” button next to my first and last name. In the input fields, I added an HTML payload: “><h1>hacked</h1>”. This payload was designed to inject HTML code into the website.
Step 4: Payload Reflected in HTML
After submitting the form, I observed that my HTML payload was reflected in the HTML source code of the website. This meant that I had successfully injected HTML code into the website and could potentially execute any code I wanted.
Step 5: Reported Bug to Company
After discovering this vulnerability, I immediately reported it to British Accountancy platform security team. They were very responsive and acknowledged the issue. They also added me to their hall of fame and sent me some cute swag!
In addition to sharing my own experience, I wanted to provide some resources for readers who are interested in learning more about HTML injection vulnerabilities and payloads.
Here are some links to get started:
- XSS Payloads: This GitHub repository contains a collection of XSS payloads that can be used to test and exploit HTML injection vulnerabilities.
Link: https://github.com/xsuperbug/payloads/blob/master/XSS%20-2
2. HackTricks: This GitHub repository contains a wide range of resources and tools for web application pentesting, including a detailed guide on dangling markup and script less injection.
By using these resources and learning more about HTML injection vulnerabilities, readers can help protect themselves and others from potential attacks.
Conclusion:
As a security enthusiast, finding vulnerabilities in web applications is an important task. It helps developers identify potential security issues and fix them before they can be exploited by malicious actors. In this case, I was able to discover a stored HTML injection vulnerability in British Accountancy platform and report it to the company. By doing so, I helped make the internet a safer place for everyone.
Note:
This vulnerability was not my most recent finding, but it was still an important and memorable one that I wanted to share.
As always, stay curious and keep learning.
Thank you,
Parag Bagul!!
HaxWizard
