Security researcher Ehteshamul Haq found a serious vulnerability on Target.com that could have allowed malicious users to inject malicious HTML code into various traveller profiles on the website.
The issue lies in the fact that the website does not properly validate user-generated content, meaning that it does not sanitize or encode input fields correctly.
By simply entering a few lines of HTML code into any of the first name, last name or address fields, Haq’s own headline was rendered on the front end of the website.
These kinds of HTML injection vulnerabilities can lead to serious consequences, such as clickjacking, session hijacking, or even full-scale XSS (cross-site scripting) attacks, if attackers were to exploit them.
Luckily, Target’s security team thanked Haq for disclosing the issue and fixed it promptly.