Reflected HTML injection leads to redirection and what’s not!

2 min readAug 6, 2024

I was mentally disturbed and navigating to hackerone and bugcrowd after almost 7 days of internet blackout in Bangladesh. I decided to hack an e-commerce website from hackerone. Let, it is https://www.example.com

While traversing the website manually in recon time, I found an url like below: https://www.example.com/ro/en/user-account.html?query=, here ro represents geo-location and en represents language of the user, User can select them both in time of traversing the website. The search query is hidden from unauthenticated users. So we have to first login to the e-commerce website. Try arbitrary input in the search field, we can see it reflected when nothing found.

Then, I tryied HTML injection and many more, luck favours and I found one…

It works fine, then I tried for XSS injection. But I failed,and I back again to HTML injection for redirection.

I was tired and reported it. But alas!

Thanks for reading. Happy Hacking…

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Written by Shahariar Amin

Penetration Tester (Web Application),Bug Hunter,CSE student of RUET,Bangladesh.

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams