How I Found 2 Bugs on BBC’s Subdomains and Made It Into Their Hall of Fame

This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).

A bug bounty hunter shares how they found two vulnerabilities on BBC subdomains — hyperlink injection in a contact form and server-side template injection (SSTI) via a registration email — earning a Hall of Fame entry. The hyperlink injection allowed attacker-controlled URLs to render as live links in emails sent from an official BBC address, enabling phishing. The SSTI was confirmed by injecting {{50*100}} as a first name and receiving 'Welcome, 5000' in the verification email, indicating unsanitized input passed to a live template engine. Key takeaways: don't skip contact forms or registration flows, and always report findings regardless of perceived simplicity.

#security

#web-security

Yesterday•6m read time•From infosecwriteups.com

Table of contents

A real case study in hyperlink injection and SSTI & two vulnerabilities hiding in plain sight The Setup: Chasing a Name on a Wall Security Disclosure Policy Bug #1: Hyperlink Injection in a Contact Form 🕵️‍♂️💻 “I Didn’t Plan to Find a P1… But My Script Had Other Plans 🧠💣”

Comment

Bookmark

Copy

Sort: