HTML Injection in Support Ticket System Enables Arbitrary Outbound Email Sending $600

While testing a private program on the Bugcrowd platform, I discovered a P3 HTML Injection vulnerability in the support/submit-ticket/ endpoint. This flaw allowed me to inject arbitrary HTML into the support ticket form, which was then reflected in outbound emails sent by the system. As a result, I was able to craft emails that appeared to originate from the company's support team and deliver them to any external email address.

โš ๏ธ Impact

This vulnerability had serious implications: - Phishing Risk: Attackers could send deceptive emails with malicious links. - Spoofing: Emails appeared to come from the company's trusted domain. - Spam Vector: The system could be abused to send bulk unsolicited messages. - Reputation Damage: Trust in the company's support system could be undermined.

Technical Details - Endpoint: support/submit-ticket/ - Vulnerability Type: HTML Injection - Payload :- <a href="//attacker.com">Please click here to login to your account</a> - Behavior: The injected HTML was rendered in outbound emails sent to the address provided in the ticket form. This allowed full control over the email content and destination.

๐Ÿงช Proof of Concept (PoC)

1. Navigate to the support ticket submission form 2. Enter a target email address. 3. Inject HTML payload into the description field.

4. Submit the ticket. 5. Observe the outbound email received at the target address, containing the injected content.

โœ… Remediation

The issue was resolved by: - Implementing strict input sanitization and output encoding. - Blocking external HTML content from being rendered in emails. - Validating email destinations to prevent arbitrary delivery.

๐ŸŽ Reward

The vulnerability was acknowledged and rewarded with a $600 bounty by the program

None

๐Ÿ‘จโ€๐Ÿ’ป About Me

I've been actively involved in bug bounty hunting since 2020, focusing on web application security and responsible disclosure & extanal Bounty Bounty Program, Bugcrowd platform, I'm currently a CSE student at Uttara University, passionate about ethical hacking and community-driven cybersecurity learning.

๐Ÿ”— Connect with Me - LinkedIn: https://www.linkedin.com/in/hasankhan0x - Twitter (X): https://twitter.com/Hasan_Khan0X