HTML Injection (CWE-79)CVSS 2.5Easy

HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger

hackerone-reports

March 5, 2026

10 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3556892 by zorixu

Summary

The DAST trial request form at https://portswigger.net/burp/dast/trial is vulnerable to HTML injection through the "First Name" field. User-supplied input is not properly sanitized before being inserted into confirmation emails, allowing attackers to inject arbitrary HTML content that gets rendered in the victim's email client. This vulnerability can be exploited to conduct sophisticated phishing attacks that appear to originate from PortSwigger's legitimate email infrastructure.

Steps to Reproduce

Navigate to https://portswigger.net/burp/dast/trial
Locate the "Request a tailored demo" form
Fill in all required fields with legitimate data
In the "First Name" field, insert the following payload:

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

hamed_pesahe

HTML Injection via Email Address Payloads

How a simple payload and a shift in mindset exposed a vulnerability hidden in a complex invite and notification system.

Read Writeup →

heroxo9868

HTML Injection to DoS (P2)

HTML Injection is a web security vulnerability that occurs when an application fails to properly sanitize or validate user-supplied input before rendering it in a web page. As a result, an attacker can insert arbitrary HTML code into the page, which is then displayed and executed in the browsers of other users. This can allow the attacker to manipulate the structure or content of the page, inject misleading elements, or create malicious links, potentially compromising user trust and the integrity of the website.

LogicalBreach Academy