HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger

## Summary The DAST trial request form at `https://portswigger.net/burp/dast/trial` is vulnerable to HTML injection through the "First Name" field. User-supplied input is not properly sanitized before being inserted into confirmation emails, allowing attackers to inject arbitrary HTML content that gets rendered in the victim's email client. This vulnerability can be exploited to conduct sophisticated phishing attacks that appear to originate from PortSwigger's legitimate email infrastructure. ## Steps to Reproduce 1. Navigate to `https://portswigger.net/burp/dast/trial` 2. Locate the "Request a tailored demo" form 3. Fill in all required fields with legitimate data 4. In the **"First Name"** field, insert the following payload: ```html "<h1><a href="https://zorixu.com">Click here for exclusive offers</a></h1> ``` 5. Enter the victim's email address in the email field 6. Submit the form 7. Check the victim's inbox for the confirmation email 8. Observe that the HTML payload is rendered in the email. **Result:** The injected HTML is rendered in the email, confirming the vulnerability. ## Additional / Details 1. Screenshot showing the DAST trial form with the "First Name" field containing the malicious payload ████████ 2. Screenshot showing the received email with the injected HTML {F5372977} ## Impact The vulnerability allows an attacker to inject arbitrary HTML content into emails sent from PortSwigger’s legitimate mail servers. By controlling the content rendered in the email body, an attacker can craft phishing messages that appear fully trusted to the recipient.