What is HTML?
HTML stands for Hypertext Markup Language.It is a standard markup language for web pages. Collection of web pages makes a website. HTML elements are represented by <> tags. Where each tag has a different working.
Lets understand with an example:
Below is code of a simple HTML page.
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
</head>
<body>
<h1>My First Heading</h1>
<p>My first paragraph.</p>
</body>
</html>Lets understand each tag one by one:
- The
<!DOCTYPE html>declaration defines that this document is an HTML5 document. - The
<html>element is the root element of an HTML page. - The
<head>element contains meta information about the HTML page. - The
<title>element specifies a title for the HTML page (which is shown in the browser’s title bar or in the page’s tab). - The
<body>element defines the document’s body, and is a container for all the visible contents, such as headings, paragraphs, images, hyperlinks, tables, lists, etc. - The
<h1>element defines a large heading. - The
<p>element defines a paragraph.
What is HTML Injection Attack?
HTML Injection is a vulnerability which occurs in web applications that allows users to insert HTML code via a specific parameter or an entry point.
HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page.
There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is an high risk of HTML injection vulnerability. For example, malicious HTML code can be injected via the innerHTML JavaScript method, usually used to render user-inserted HTML code. If strings are not correctly sanitized, the method can enable HTML injection. A JavaScript function that can be used for this purpose is document.write().
It is generally exploited using social engineering in order to trick valid users of the application to open malicious websites or to insert the credentials in a fake login form that will redirect the users to a page that captures cookies or credentials.
Exploiting HTML Injection
HTML Injections are easy to exploit. You just need to find out all parameters=values and check out each one of it for reflection of your HTML Injection Payload.
The following example shows a snippet of vulnerable code that allows an unvalidated input to be used to create dynamic HTML in the page context:
var userposition=location.href.indexOf("user=");
var user=location.href.substring(userposition+5);
document.getElementById("Welcome").innerHTML=" Hello, "+user;The following example shows vulnerable code using the document.write() function:
var userposition=location.href.indexOf("user=");
var user=location.href.substring(userposition+5);
document.write("<h1>Hello, " + user +"</h1>");In both examples, this vulnerability can be exploited with an input such as:
http://vulnerable.site/page.html?user=<img%20src='aaa'%20onerror=alert(1)>
An HTML Injection vulnerability can be chained with an account takeover vulnerability. The steps would be as follows:
- Attacker discovers injection vulnerability and decides to use an HTML injection attack.
- Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email.
- The user visits the page due to the page being located within a trusted domain.
- The attacker’s injected HTML is rendered and presented to the user asking for a username and password.
- The user enters a username and password, which are both sent to the attackers server.
Severity
The severity of HTML Injection can be categorized as P4 bug with a CVSS score of 0.1-3.9 which is Low. In case of an account takeover it can be categorized as P3.
Impact of HTML Injection
Attacker can perform any action on the web page and can also create it as a phishing page to divert all users to other attacker controlled web page.
Prevention of HTML Injection
- Every input should be checked if it contains any script code or any HTML code. One should check, if the code contains any special script or HTML brackets –
<script></script>,<html></html>. - There are many functions for checking if the code contains any special brackets. The selection of the checking function depends on the programming language that you are using.