Saving 100,000 websites from a Watering Hole attack


During my bug bounty sessions, I often come across websites built with Hubspot CMS.

Initial Discovery

The initial discovery was Hubspot allowing uploading SVG images. I was able to trigger XSS on my own website by embedding javascript into my svg files. Example:

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">

<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
  • All websites hosted on hubspot use the endpoint /hs-fs/hubfs to request their media files.
  • Each Hubsopt account had a virtual CDN hosted at <portal_Id>

Secondary Context

For better understanding of the flow, I have imagined the following schema:

Web Cache Poisoning

Quoting Portswigger, Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users. You can read more here:

GET /hs-fs/hubfs/xss.svg HTTP/2 

Water in the hole

To execute the watering hole attack, hackers could target websites hosted on Hubspot and remotely replace their media with pieces of malware.

  • Host a website on Hubspot. Let’s call it
  • Embed malicious script in an svg file, name it safe.svg then upload it to his website.
  • Send the following request to
GET /hs-fs/hubfs/safe.svg HTTP/2 



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store