Member-only story
I Pasted a Simple HTML Code on BookMyShow… and Got ₹1000 for It!
Introduction
Picture this: You’re about to buy a gift card for your movie-loving friend. You enter your name, their name, and proceed to payment. Everything seems fine, but beneath the surface is a hidden vulnerability — one that allows attackers to manipulate what you see on your screen. Let’s learn about the HTML Injection which is a simple vulnerablity
As a security researcher, I recently discovered a potential security flaw on BookMyShow’s gift card payment page. While scripting attacks are blocked by Cloudflare’s security, HTML injection is still a issue, and here’s why it matters.
What is HTML Injection?
HTML injection is like a magic trick — but not the fun kind. It allows attackers to inject custom HTML elements into web pages, altering what users see. Unlike Cross-Site Scripting (XSS), which runs malicious scripts, HTML injection focuses on manipulating displayed content, potentially misleading users into making critical mistakes.
The Vulnerability
On BookMyShow’s gift card purchase page, users enter their name and the sender’s name, which are later displayed on the payment page. However, there’s no proper sanitization — meaning you can insert actual HTML code into those fields!
