<a href> links is real — especially in internal tooling. Always sanitize before rendering!#BugBounty #WebSecurity #HTMLInjection #HackerOne
Y
Start a post, try a photo
Photo
Write article
Video
S
🔐 Just submitted my 50th HackerOne report! HTML Injection in support chat systems is still wildly underreported. The risk of phishing support staff via injected
#BugBounty #WebSecurity #HTMLInjection #HackerOne
#BugBounty #WebSecurity #HTMLInjection #HackerOne
👍 342 reactions · 28 comments
Like
Comment
Share
Send
A
💰 Got my first bounty from LinkedIn! Found HTML injection in their Premium support chat — the message field renders raw HTML for the support agent. Simple
Low severity but it's a start! Next goal: escalate to XSS.
#BugBounty #LinkedIn #HackerOne
<a href="evil.com">CLICK</a> appears as a real link in the agent's inbox. Reported via HackerOne, triaged in under 24h. 🙌Low severity but it's a start! Next goal: escalate to XSS.
#BugBounty #LinkedIn #HackerOne
👍 127 reactions · 15 comments
Like
Comment
Share
Send
🎯 Lab Objective — HTML Injection
The support chat widget (bottom-right) stores your message raw in the database.
The support agent views messages in their inbox where PHP renders them with
Your goal: inject an HTML payload that renders as real clickable content for the agent.
The support agent views messages in their inbox where PHP renders them with
echo $msg — no htmlspecialchars().Your goal: inject an HTML payload that renders as real clickable content for the agent.