Hi, I'm Ali Mojaver, a part-time bug hunter (though I'm dreaming of going full-time to escape the 9-to-5 grind!😭). Today, I want to talk about a recent $300 bug I discovered. It's a simple bug, but it involves a unique mindset and perhaps even a new payload!
In previous years, I used to report many 'low-hanging fruit' bugs, and as you might have guessed, 90% of them were marked as duplicates. This year, however, I've shifted my focus toward finding more complex bugs or looking for simple vulnerabilities in complex, overlooked areas.
This approach might seem debatable because sometimes everyone thinks like me, and as a result, those simple 'low-hanging fruit' bugs are overlooked and left unreported. However, this is the path I've chosen. Whether it's good or bad, I no longer want to waste my time, and consequently, my duplicate rate has significantly decreased.
STARTING!
chose a public program with high competition, where dozens of reports are submitted every 24 hours. But that didn't matter to me — I started my recon. The invite systems in these programs are particularly interesting to me because they often harbor many business logic bugs. I began testing this section by adding a new member to my workspace, and after a few seconds, I noticed something in my email
The email read: 'Hey, you added "Blab Blab" to your workspace.
Seeing this immediately shifted my mindset toward testing for HTML Injection. Hey you — yes, I'm talking to you, the one reading this write-up — the bug itself might be simple, but pay attention to the mindset!
I noticed the system sends various notification emails based on different user actions. I spent 2 to 3 hours performing recon and browsing the site to find the perfect spot to inject HTML into these email notifications. However, after failing to find a vulnerability there, I decided to pivot and move on to other tests.
In any invite system, you can add members, right? So, I decided to test for a Race Condition to see if I could add the same user multiple times or bypass the workspace limits. On the free plan, the system has a 10-member limit. I attempted to add more than 10 users to my workspace to see how it would react. While I was testing, I suddenly received a notification on my phone:
Hey admin! A user with the email "blab@gmail.com" has registered to your workspace, and your 10-member limit has been reached! Please upgrade your plan.
Hmm! This got me thinking: could I inject an XSS payload into the email notification?
Last year, I saw a tweet from zseano where he mentioned:
Hey, "<img/src=x>"@gmail.com is a valid email address and you can use it!
Believe me, this payload is pure magic! Many systems fail to anticipate that a hacker might inject a payload within an email address, so they often accept formats like "<img/src=x>"@gmail.com.
I was onto something, but I faced another challenge:
if the payload fired, it would be a Self-HTML Injection because the owner was manually adding the member.
So, I looked into the registration system instead. I wondered:
if the workspace limit was reached, could I register anonymously with "<img/src=x>"@gmail.com and have the payload fire in the owner's inbox?
I headed to the registration page and signed up using the email "<img/src=x>"@gmail.com.
Boom! In the owner's inbox, the following message appeared:
The company awarded a $300 bounty for this bug. But beyond the money, what truly matters is the approach:
- Complexity in Simplicity: HTML Injection is often considered a simple bug, but finding it in a complex or overlooked section is what makes the difference. Most hackers wouldn't think to deliberately hit the workspace limit just to trigger an automated email alert. Many researchers overlook these edge-case notifications entirely.
- The Power of Payloads: Never underestimate the potential of unusual inputs. Using a payload like
"<img/src=x>"@gmail.comin an email field can reveal 'magic' in your methodology and bypass filters that developers didn't account for.
Always think outside the box — sometimes the most obvious bugs are hidden in the most unexpected places!