Scribd
Upload
35 views1 page

HTML Email Injection Vulnerability

HTML Email Injection is a vulnerability where attacker input is rendered as HTML in emails, potentially leading to phishing attacks. By injecting HTML payloads during account creation, attackers can manipulate verification or reset password emails to trick users. This vulnerability poses a significant risk as it allows attackers to impersonate legitimate communications and deceive users into revealing sensitive information.

Uploaded by

piyushcyber9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
35 views1 page

HTML Email Injection Vulnerability

HTML Email Injection is a vulnerability where attacker input is rendered as HTML in emails, potentially leading to phishing attacks. By injecting HTML payloads during account creation, attackers can manipulate verification or reset password emails to trick users. This vulnerability poses a significant risk as it allows attackers to impersonate legitimate communications and deceive users into revealing sensitive information.

Uploaded by

piyushcyber9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

Vulnerability - HTML Email Injection

-----------------------------------------------------------------------------------
-----------------------------------------------------------

Description - HTML injection is a vulnerability in which attacker-provided input is


rendered as HTML. HTML injection in emails can lead to attackers phishing users
from a legitimate email address.
-----------------------------------------------------------------------------------
-----------------------------------------------------------

Steps-

1 - Go to the URL https://abc.com


2 - Create an account with html payload in first name and last name

Payload- <img src="http://evanricafort.com/profile.png">

<img src="https://bit.ly/3tpPNzv">

3 - Generate a reset password/verification email


4 - The image will be executed in the verification/reset password email sent by the
company.
-----------------------------------------------------------------------------------
-----------------------------------------------------------

Impact - This vulnerability can lead to the reformatting/editing of emails from an


official email address, which can be used in targeted phishing attacks. This could
lead to users being tricked into giving logins away to malicious attackers.
-----------------------------------------------------------------------------------
-----------------------------------------------------------

FOR YOUR REFERENCE - It can be tried on registration / invite user / contact us -


support - feedback or any page through which company sends an email to the victim.
-----------------------------------------------------------------------------------
-----------------------------------------------------------

You might also like