accepted fixed
Google comment
This report was not rewarded as the described impact of the HTML injection was not accurate (the real impact was minimal).
Summary: HTML INJECTION
Product: https://bughunters.google.com
URL: https://bughunters.google.com
Vulnerability type: Other
Details
- Name: [REDACTED_NAME]
- Email: [REDACTED_EMAIL_ADDRESS]
- Vulnerability Name : HTML INJECTION
- Vulnerable Domain : https://bughunters.google.com/
What is HTML INJECTION?
Hypertext Markup Language (HTML) injection is a technique used to take advantage of non-validated input to modify a web page presented by a web application to its users. When applications fail to validate user data, an attacker can send HTML-fomatted text to modify site content that gets presented to other users.
Steps to Reproduce:
- Create a account on https://bughunters.google.com and fill details until it ask for the impact and other details
- Enter the text as payload herr i used <img src=http://tny.im/tK->
- and in review section you will see this.
References: https://hackerone.com/reports/1081656
Attack scenario
IMPACT: It can allow an attacker to modify the page. To steal another person's identity. The attacker discovers injection vulnerability and decides to use an HTML injection attack.
Planned disclosure date: Sun Jan 01 2023 00:00:00 GMT+0530 (India Standard Time)