what is HTML injection?
HTML Injection is a web security vulnerability that allows an attacker to inject malicious HTML content into a webpage. This vulnerability arises when an application does not properly validate user-supplied input before passing it to a web browser.
Table of Contents
- what is HTML injection?
- Impact of HTML injection
- How to test HTML injection:
- Access bWAPP:
- Choose Bug
- Mitigation of HTML injection
Impact of HTML injection
HTML Injection, if successfully exploited, can have serious implications. Here are some impacts.
Reputation Damage:
Attackers might change the appearance of a webpage by injecting code and defacing it with inappropriate content.
Cross-Site Scripting (XSS):
HTML Injection can lead to XSS if the injected HTML contains scripts. This can be used to steal sensitive information, such as session cookies.
Phishing
Attackers can create fake login forms to steal user credentials. This is often referred to as ‘phishing’.
Session Hijacking:
If session cookies are compromised through HTML injection, attackers can hijack user sessions. This allows them to impersonate legitimate users, gaining unauthorized access to accounts and sensitive information.
How to test HTML injection:
I’m going to use a website called Vulnerable Web Application (bWAPP) for testing purposes. You can do the same kind of testing on any website and maybe get rewards from bug bounty programs. I’ll use two tools, OWASP Broken Web Applications Project and Burp Suite, and follow a step-by-step process. If you want, you can watch and learn from what I’m doing during the test.
Access bWAPP:
First of all, install the OWASP Broken Web Applications Project in VMware Workstation. After installation, open it by accessing the IP address in the Mozilla Firefox browser.
Choose Bug
After accessing bWAPP, select the “Choose your bug” option and pick “HTML Injection Reflected (GET).” Subsequently, click the “Hack” button to initiate the testing process. First, I will test low level and then I will increase the levels of security.
At low-level security:
After logging in, I will inject HTML code, specifically ‘<h5>Hacked</h5>’, into the application. During this process, I will intercept the associated GET request using Burp Suite to analyze and observe the impact of the injected code on the request and server response.” injected code appears in the web application’s response, which indicates that the website is vulnerable to HTML injection.
By substituting the GET request with a simple XSS payload like <script>alert(‘XSS’)</script>, you can observe an alert response within the web application, indicating the presence of a vulnerability to cross-site scripting (XSS).
After changing low to medium level security when I put HTML code in the text field, input is reflected without execution of malicious code.
I will examine the source code and analyze why it is not executing.
Upon reviewing the source code, I noticed that the HTML code in the query is HTML encoded, preventing its execution. To address this, I will employ a URL Decoder/Encoder to properly encode the HTML code. Once encoded, I intend to insert this code into the login field and observe the resulting outcome.
The encoded HTML code is ultimately executed.
Mitigation of HTML injection
Input Validation:
Validate user input to ensure it does not contain any HTML tags or special characters that could be used to inject HTML.
Output Encoding:
Encode user-supplied input before it is included in H
TML responses. This ensures that the input is treated as plain text and not as HTML code by the browser.
By following these simple steps, you reduce the risk of HTML injection dramatically. For more in-depth info, check out the OWASP HTML Injection Guide.
Regular Expression Filtering:
Use regular expressions to filter out potentially harmful input. For example, you could use a regular expression to ensure that a user’s name does not contain any HTML tags.