AlbusSec:- Penetration-List 010 HTML INJECTION— Sample
Hi Information Security folk, I hope you like my previous article that was on Server-Side-Request-Forgery(SSRF). However, Today we’ll learn about HTML-INJECTION, Before We start firstly, I will introduce myself. So, I’m Aniket Tyagi and I’m an Information Technology officer at the 5f eco foundation of India, an Information Security Researcher, and the founder of Albus Security. Without wasting our energy, Let’s get started.
Introduction to HTML Injection:-
HTML injection is a type of injection vulnerability in which a user has control over a vulnerable parameter and can inject arbitrary HTML code into a vulnerable web page. This flaw could have a variety of consequences, including the disclosure of a user’s session cookies, which could be used to impersonate the victim, or, more broadly, allowing the attacker to change the page content seen by the victims. Basically whenever the parameter was not properly sanitized by the application and the output was not encoded this is how an HTML vulnerability exists. An attacker can use an injection to send a malicious HTML page to a victim. Because the targeted browser will be unable to distinguish (trust) legitimate parts of the page from malicious parts, the entire page will be parsed and executed in the victim’s context
Types of HTML Injection:-
Reflected HTML Injection:- In which whenever an attacker injects malicious HTML code into a web page Overall, A Malicious HTTP Request was sent to an application, At the same-time Server will give a response in which a malicious HTML code was executed that was provided by an attacker via vulnerable input or vulnerable link.
Stored HTML Injection(XSS):- In which whenever an attacker injects an HTML Code into a web page Mean a malicious HTTP Request was sent to an application, And the Server will store that malicious request in which there was a malicious html code injected by the attacker. Whenever You’ll visit that malicious web page that was stored by the server then it will execute a Malicious HTML code. Stored HTML-Injection Vulnerability is those where the injected script is permanently stored on the target servers, such as in a Profile Image, Message forum, Visitor log, Comment field, etc.
Basic Methodology:-
To find the html injection. First, An attacker will find the vulnerable parameters or Vulnerable Links. Malicious HTML code can get into the source code by inner HTML. let’s remember, that innerHTML is the property of a DOM document, and with innerHTML, therefore Whenever an attacker can inject malicious HTML code via a vulnerable parameter or vulnerable URL. It is used mostly for data input fields like comment fields, questionnaire forms, registration forms, etc. Therefore those elements are most vulnerable to HTML Injection attacks. Suppose We have a Registration form, Where An normal user was filling in register details on it. And when the registration was completed, In dashboard account name was reflected on the Web page. However attacker’s perspective, they will try to inject any HTML code on the name parameter, then the profile name was reflected on the web page, so if the application is vulnerable, then it’ll execute html code on their web page. then that is vulnerable to the HTML-Injection attack. Therefore, if malicious code was typed and saved, it also will be loaded and displayed on the website. In our case, Whenever an attacker will input malicious HTML code like <h1>test</h1> on the name field then it will be reflected on the web page with <h1> tag property that is heading form
Sometimes an application will use html entity encoding. In which html entity encoding scheme renders the symbols into html entity so they rectify the HTML Injection Situation. It is one of the techniques to sanitize the parameter value from the user. Basically Whenever you’ll try to inject malicious html code via parameter, then You see that your code is not executed because your quotes and brackets were encoded into html entity therefore without any quotes, brackets, etc malicious code won’t be executed. So, In this case, Therefore, Whenever an attacker injects html code via a vulnerable parameter, the server will encode that value and doesn’t execute malicious html code, In this case, the attacker will use an encoding scheme like URL, Base64, etc
URL Encode -- <h1>testing</h1> -- %3Ch1%3Eaniket%3C%2Fh1%3Ehttps://albussecurity.com/html-injectin?test=%3Ch1%3Eaniket%3C%2Fh1%3E
Once You inject this via a vulnerable parameter, then Injection was executed because We encode our payload into URL encoding that encodes the greater than or lesser than symbols in URL form. that’s why injection no longer contains any symbol or quotes like HTML therefore HTML Entity encode couldn’t work on this. And injected payload has been executed, Sometimes In Moder application, this technique was not working. So In this case You’ll try double-encoding, then it might be possible your injected payload was successfully executed.
So finally it’s done for Sample, not properly done. You already know the reason that the upcoming article will be uploaded as a Sample and not a proper lecture. Therefore Very Soon I’ll publish the “Penetration List” Book. In which You’ll get depth knowledge about Vulnerabilities. Because I’ll upload topics as a sample on medium, not a proper section. Thank You For Reading.
You can download a sample of the book:-
