HTML Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP PC-C4 CAPEC-242 WASC-08 WSTG-CLNT-03 CWE-80

HTML injection is related to cross-site scripting. This attack involves injecting certain HTML tags. Some servers are vulnerable to HTML injection. This injection occurs when an attacker can control an input point and can inject malicious HTML code into a vulnerable web page. HTML injection is done using meta-characters. This vulnerability leads to disclosure of a user’s session cookies. It can also allow the attacker to modify the page content seen by the victims (end users). HTML injection occurs due to improper sanitisation of user input and improper encoding of output. This attack allows an attacker to injection or sends a malicious HTML page to the end users. As the browser doesn’t know if the page is trusted or not, it will execute and parse all the parts of the page. If the page had any malicious codes in it, the codes would be executed on behalf of the end user. This vulnerability will, in turn, make the end user vulnerable to many more attacks. This attack can be executed using a wide range of methods and attributes that could be used to render HTML content. If this method is provided with untrusted input, then there will be a massive chance for HTML injection attack (Other attacks include XSS). Malicious HTML code could be injected via innerHTML, that is used to render user inserted HTML code. If strings are not correctly sanitised, the problem could lead to XSS based HTML injection. Another method to execute this attack could be to use document.write() function.

Example

The below code has unvalidated input. This code is used to create dynamic HTML in the page context:

        var userposition=location.href.indexOf("user=");
        var user=location.href.substring(userposition+5);
        document.getElementById("Welcome").innerHTML=" Hello, "+user;

    

If the code is like this, then an attacker can use the URL below.

        https://www.example.beaglesecurity.com/page.html?user=<img%20src='aaa'%20onerror=alert(1)>

    

The above URL will add the page into the image tag. The application will execute a JavaScript code inserted by the malicious user in the HTML context.

Impact

Using this vulnerability, an attacker can:-

  • read, update and delete arbitrary data/tables from the database.
  • execute commands on the underlying operating system.
  • disclosure a user’s session cookies. so that, he can impersonate the victim.
  • inject HTML that renders to seek username and password of host user.
  • send the username and password from users to himself.

Mitigation / Precaution

Beagle recommends the following fixes for this vulnerability:-

  • Use scripts that filters meta-characters from users inputs.
  • Use appropriate validation for input and output.

Latest Articles