I Pasted a Simple HTML Code on BookMyShow… and Got ₹1000 for It!
1 min read
Summary
HTML injection is a simple vulnerability that allows an attacker to inject HTML elements into web pages, thereby manipulating what users see and potentially misleading them into making critical mistakes.
While scripting attacks are blocked by Cloudflare’s security measures, this type of injection is still a risk.
The vulnerability was discovered on BookMyShow’s gift card payment page where user and sender names are inserted into the payment page without proper sanitization, meaning that actual HTML code can be inserted into these name fields.
This essentially allows criminals to dress up the payment page with whatever looks like an authentic page, including payment information, and potentially steal personal information and funds.
The vulnerability has been reported to BookMyShow and the site has since rectified it.