How To Escalate P5 Email HTML Injection to P4.

6 min readJun 2, 2024

Hi, Ajak Amico’s welcome back to another blog. Today In this blog, I will show how I found HTML injection and Self XSS in one of the NASA domains and I will show how to escalate an HTML injection to get triaged Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.

(For any Privacy Issues Kindly DM the Post will be removed🙏)

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)
Follow on Instagram: AjakCybersecurity
Buy me Coffee: https://buymeacoffee.com/ajak

Recon:

As usual, my favourite subdomain enumeration tool https://subdomainfinder.c99.nl/ and opened every URL via bulk URL extension, I found a Registration page for a workshop, so upon registering you will get an Email in your mailbox.

Exploitation:

Normal Request & Response:

So below is the normal registration process for the workshop, here I just gave my information as you can see below.

and the response was like “Thank you, Ajak Security, for submitting your registration. You will be redirected to the ETW 2024 Homepage in 8 seconds.” as you can see my first name and last were reflected once I submitted the form.

And even got an email in my mailbox, stating Dear Ajak Security, Your registration has been accepted for the 2024 NEPP Electronics Technology Workshop as a remote workshop attendee via WebEx. and as you can see even in my email my first name & last name were reflected.

So I decided to give HTML injection in first name & Last name, to my surprise my HTMLI Injection was executed.

HTMLI Request & Response.

As you can see my Email Html Injection <h1> & <h2> got executed and checked my email for the response. and yeah my HTML tag got successfully executed in first name and last name. as you can see below.

Self XSS in First name:

Just in case I just tried for Self XSS for a popup, and this was the query given in the first name <img src=”” onerror=alert(document.cookie)> and my self XSS got executed successfully.

now without any delay, I just created a POC and submitted it to NASA, just to increase the severity, I used the Grabify website to redirect the user and capture thier IP address since I was new to bug bounty, I just submitted the flaw, and to my surprise, it was marked as ‘Informational’ and I just asked one of my followers he said, most programs the email HTML injection flaw in bug crowd are mostly marked as Informational.

How can the severity of email HTML injection be increased?

Though there are many methods to escalate a self XSS/Email HMRL injection to Account takeover, I am going to share one of the easy way to escalate this Email HTML injection.

DMARC policy not enabled:

Yes, this is another way to chain your Email HTML injection, by exploiting this flaw you can spoof Email addresses for Eg: you can send Email from ness@nasa.gov to any user. so just by chaining this Spoofing and HTML injection, you can increase the severity. So your title will be ‘Chaining HTML injection + DMARC policy not enabled leads to redirection, Users IP disclosure and Spoofing’ but here if you report this bug separately both the reports will be closed as Informational,

And another thing about this flaw is how you write the report, the main thing to focus on is how you can show the Impact, you better show a video POC on how an attacker can abuse the HTML injection + DMARC policy not enabled to spoofing and redirection, try to add a reference to the report. if you do this perfectly 90% of chance that your bug will be triaged.

How to Find DMARC Policy Not Enabled?

MXtoolbx:

https://mxtoolbox.com/ so this is the website to check the DMARC policy not enabled. just visit the website and give your domain name and change from MXlookup-> DMARC Lookup, like the below screenshot below.

if it’s not vulnerable you can, all the checks will be ticked like below. As you can see this nepp.nasa.gov is not vulnerable to DMARC policy not enabled.

if you find the DMARC policy not enabled use the following website to spoof and try to escalate the flaw to P4. https://emkei.cz/ The mentioned website is just to escalate the flaw for bug bounty and educational purposes, I am not responsible for any illegal or malicious activities. for more reference see this blog: https://medium.com/techiepedia/how-to-report-dmarc-vulnerabilities-efficiently-to-earn-bounties-easily-f7a65ecdd20b

Impact:

once you hit the send button, an email will be sent from nepp@nasa.gov to victim@gmail.com email address, now victim will think that this is a legit email sent from nepp@nasa.gov and the victim will click on the malicious link which will be sent by the attacker. where in the backend the attacker can redirect or capture you IP address to perform any malicious activities.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates & don’t forget to give credit if your bug gets triaged :) Best wishes from Ajak Cybersecurity.❤️you can also support me by buying me a coffee https://buymeacoffee.com/ajak

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌