loading...
Cover image for Acknowledgement From Hubspot

Acknowledgement From Hubspot

muhaddimu profile image Muhaddis ・2 min read

This website has web-based advertising online tools which minimizes our work to such an extent. They have likewise an Email Signature maker which is vulnerable to Cross-Site Scripting (XSS). My companion proposed to me HubSpot Academy for finding out about Email Marketing tutorials. I have investigated their site and established that this Email Signature is vulnerable to Cross-Site Scripting (XSS) vulnerability. In spite of the fact that they additionally have a Responsible Disclosure program on BugCrowd however, I never noticed.

Below I'll show you I replicate Cross-Site Scripting (XSS) in HubSpot

Go to HubSpot Email Signature maker.

In the Email Signature required data frame, fill these fields with XSS payloads. This page is reacting invigoratingly to the ideal frame.

Alt Text

As page loads entered information, the JavaScript payload executed.

Alt Text

The following day they replied:
This submission has been previously reported by another researcher. Thanks for the submission, this submission is duplicate of another submission. We appreciate your effort and we hope that you’ll continue to research and submit any future security issues you find.

After confirming that report they Acknowledged me by posting my name in HubSpot Hall of Security Researcher HubSpot Hall of Fame.

Alt Text

I am grateful to HubSpot for acknowledging and I’ll test that site again as I got some time and I’ll do my best to locate another interesting vulnerability. I thank HubSpot for acknowledgement and my thanks to you too for your profitable time.

Posted on by:

muhaddimu profile

Muhaddis

@muhaddimu

Muhaddis is a Web Developer & Security Researcher who acknowledged by top companies including DEV for helping them finding security flaws in their products. He's also interested in cloud technology ✨

Discussion

markdown guide