When “Safe” Isn’t Safe: Turning a Simple HTML Injection into a Real Security Story. In bug bounty hunting, not every vulnerability needs flashy payloads or JavaScript execution to matter …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A bug bounty write-up detailing the discovery of a Reflected HTML Injection vulnerability on an SSO authentication endpoint. The client_id parameter was reflected in the HTML response without output encoding, allowing arbitrary HTML rendering. While XSS payloads were blocked, the vulnerability still poses real risk through phishing and social engineering on a trusted auth domain. Remediation includes output encoding, allow-list validation for client_id, and implementing a Content Security Policy.