> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/features-abuse/messaging-features.md). # Messaging Features

Injection

* [ ] Blind XSS/HTML Injection * [ ] HTML injection in email rendering * [ ] XSS HTML Injection in email section * [ ] Inject in message body * [ ] Inject in subject/title * [ ] Inject in reply field * [ ] Email header injection (`\n`, `%0a`) ```html tester'\"/><

h1>ester0x88<

/h1> 0x88"><

img/src=https://tinyurl.com/ynaeed3d> Your Account has been suspended you should change your password From Here change password

Markup Injection

{% embed url="" %} 1. Go to 2. Choose invisible 3. Image send the message

IDOR

* [ ] Change message ID in request → access other users’ messages * [ ] Change conversation/thread ID → view other conversations * [ ] Modify user/client ID in requests * [ ] Send message as another user * [ ] Modify recipient ID

Improper Session Validation After Logout

* [ ] Access messages after logout * [ ] Reuse old session token after logout

Privilege Escalation

* [ ] Reply to a thread you shouldn’t have access to * [ ] Access deleted/archived messages via direct endpoint * [ ] Client accessing firm staff messages * [ ] Staff accessing unauthorized threads

Data Leakage in API Responses

* [ ] Inspect API responses for hidden fields * [ ] Leak email addresses or internal IDs * [ ] Check for data leakage across accounts * [ ] Trigger errors → check for stack traces * [ ] Message metadata leakage

Unauthenticated Access to APIs

* [ ] Access APIs without authentication

File Upload Issues

* [ ] Upload `.html` files * [ ] Upload `.svg` files * [ ] Upload `.js` files * [ ] Upload `PDF` with embedded `JS` * [ ] Double extensions (`file.jpg.html`) * [ ] Bypass `Content-Type` validation * [ ] Inject payload in filename * [ ] Access uploaded files via direct URL * [ ] Modify sender ID * [ ] Access other users’ attachments (IDOR)

Leaked Sensitive Information in Email Notifications

* [ ] Email contains full message content * [ ] Email leaks sensitive data like emails * [ ] Email exposes internal IDs or hidden fields * [ ] Secure messaging leaks via email

Rate Limit Issues

* [ ] Check rate limiting * [ ] Trigger multiple notifications (spam) * [ ] Race Condition * [ ] Send high volume of messages quickly * [ ] Email bombing via notifications * [ ] Very long messages (10k+ chars) -> `DoS Potential`

BAC

* [ ] Replay request (duplicate messages) * [ ] Modify message content after sending * [ ] Send message when messaging is disabled * [ ] Send message when user is blocked * [ ] Bypass client/staff messaging restrictions

CSRF

* [ ] Build CSRF PoC (auto-send message)

Improper Input Validation

* [ ] Unicode / RTL text * [ ] Emojis * [ ] Null byte injection (`%00`) * [ ] Broken JSON / missing parameters

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/web-appsec/features-abuse/messaging-features.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.