Free Article Link: Click for free!

Hello there!
If you’re someone who enjoys uncovering the hidden quirks of everyday websites, you’re going to find this story interesting. During a routine review of a user profile feature on Target.com, I stumbled across what initially seemed like a harmless visual bug — but it turned out to be a full-blown HTML injection vulnerability. These kinds of issues are easy to overlook because they appear so minor at first glance, yet they can have serious consequences if left unpatched.

Let me take you behind the scenes of what I discovered, how it worked, and why it matters.

I was testing the Traveler List section under the user profile area. This part of the application lets logged-in users add new travelers by submitting personal details like names, addresses, phone numbers, and so on. It’s a pretty standard feature, but when I entered a payload like <h1>hacked</h1> into the First Name field, the result displayed exactly like an HTML header on the frontend.

That’s when I knew: the app wasn’t sanitizing or encoding the inputs properly.

And this wasn’t limited to just one field. The same behavior happened when injecting tags into the last name, address, and even city…