cat ~/

where I share my findings and whatnot

Exploiting HTML Injection in Email

Sequel to my last post, I’ll be discussing about HTML injection on the same target. HTMLi is a vulnerability that can be exploited in any application that renders HTML code; email happens to be one. The rest of this post explains how I was able to inject HTML in email via a comment notification feature on the target.

Remember the HTML Injection left undiscussed here? So, it happened that the values of the comment and presentationTitle parameters reflected in the notification emails.

The body initially looked like the following:

{"type":"SlideComment","recipients":[],"teamAlias":"EEqSBdu9z49","data":{"comment":"This is Redacted","commenterId":"01234567","commenterProfileImage":"","presentationUUID":"x14r5K1tFnH","presentationTitle":"Welcome to Redacted Copy","slideLocalId":"5p3nrib"}}

Then, after injecting the parameter presentationTitle with HTML attributes, it looks like the following:

{"type":"SlideComment","recipients":[],"teamAlias":"EEqSBdu9z49","data":{"comment":"Comments are great!","commenterId":"01234567","commenterProfileImage":"","presentationUUID":"x14r5K1tFnH","presentationTitle":"Welcome to Redacted\" <br/><br/> <div style='color:#1a3a69;line-height:1.5em;font-size:18px;text-align:center'>This is a test comment</div><br/> <a style='background-color:#f68270;border:1px solid #333333;border-color:#f68270;border-radius:6px;border-width:1px;color:#ffffff;display:inline-block;font-family:arial,helvetica,sans-serif;font-size:16px;font-weight:bold;letter-spacing:0px;line-height:16px;padding:12px 18px 12px 18px;text-align:center;text-decoration:none' href='' target='_blank' data-saferedirecturl=''>View Deck</a> <!-- Copy","slideLocalId":"5p3nrib"}}

A natural notification looks like the following:


And a supernatural one looks like this :D


Amazing right? I got the exact HTML by viewing the original message: Click the ellipsis and click “Show Original”

show original

Thank you for your time. And I hope you enjoyed reading this.

Share on