DEV Community

Cover image for Acknowledgement From Hubspot
Muhaddis
Muhaddis

Posted on

Acknowledgement From Hubspot

This website has web-based advertising online tools which minimizes our work to such an extent. They have likewise an Email Signature maker which is vulnerable to Cross-Site Scripting (XSS). My companion proposed to me HubSpot Academy for finding out about Email Marketing tutorials. I have investigated their site and established that this Email Signature is vulnerable to Cross-Site Scripting (XSS) vulnerability. In spite of the fact that they additionally have a Responsible Disclosure program on BugCrowd however, I never noticed.

Below I'll show you I replicate Cross-Site Scripting (XSS) in HubSpot

Go to HubSpot Email Signature maker.

In the Email Signature required data frame, fill these fields with XSS payloads. This page is reacting invigoratingly to the ideal frame.

Alt Text

As page loads entered information, the JavaScript payload executed.

Alt Text

The following day they replied:
This submission has been previously reported by another researcher. Thanks for the submission, this submission is duplicate of another submission. We appreciate your effort and we hope that you’ll continue to research and submit any future security issues you find.

After confirming that report they Acknowledged me by posting my name in HubSpot Hall of Security Researcher HubSpot Hall of Fame.

Alt Text

I am grateful to HubSpot for acknowledging and I’ll test that site again as I got some time and I’ll do my best to locate another interesting vulnerability. I thank HubSpot for acknowledgement and my thanks to you too for your profitable time.

Top comments (0)