Besides bXSS

Have you seen someone sharing a vulnerability other than Blind XSS that was found in a contact form? — TBH I have never encountered such a case. And most of us haven’t.

Do you know the reason? — This is because most hunters think that, “bXSS is the only vulnerability found in contact forms”.

And that’s why many companies list contact forms as out-of-scope. So, they don’t receive dozens of bXSS payloads everyday.

But as a guy who always tries to escape from XSS exploitation 😅. I found a vulnerability in a contact form — Other than XSS!

And of course not a duplicate.

Why? — Because everybody considered the contact form boring. And limited to sending bulk bXSS payloads.

The vulnerability was straightforward and easy to exploit — but interesting one.

All I did was turning burp intercept on and submitting the contact form.

Boom! It was a POST request to an endpoint like:
…../apiCloud/v1/sendEmail

The request contained four parameters: from, to, subject and email.

Now what? — You guessed it right.

I was able to send any number of arbitrary emails to anybody — Using the company’s SMTP server.

And from any email address under target.com. For example, admin@target.com, support@target.com and so on.

I was able to completely control the subject and content of the request as well. Which could include any HTML code.

bXSS in HTML content? might be — But I was too lazy to test for it as always 🙃. If it was the case then you can imaging how much impact this vulnerability could have had.