HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.
Since HTML is the language used to define the structure of a web page, if an attacker can inject HTML, they can essentially change what a browser renders. Sometimes this could result in completely changing the look of a page or in other cases, creating forms to trick users. For example, if you could inject HTML, you might be able to add a tag to the page, asking the user to re-enter their username and password. However, when submitting this form, it actually sends the information to an attacker.
Types of HTML Injection
- Store HTML Injection
- Reflected HTML Injection
#1] Stored HTML Injection
Stored HTML Injection attack occurs when malicious HTML code is saved in the web server and is being executed every time when the user calls an appropriate functionality. Hence when the client will click on payload which appears as an official part of the website, the injected HTML code will get executed by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for the administrator or another user.
#2] Reflected HTML Injection
In the Reflected HTML Injection attack case, malicious HTML code is not being permanently stored on the web server. Reflected Injection occurs when the website immediately responds to the malicious input. The most common applying of this kind of vulnerability is in Search engines in the website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
Their are More types of Reflected HTML Injection:
- Reflected GET
- Reflected POST
- Reflected URL
How To Test HTML Injection?
This vulnerability occurs when the user input is not correctly sanitized and the output is not encoded. An injection allows the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit from the malicious parts and consequently will parse and execute all as legit in the victim context.
There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is a high risk of XSS, specifically an HTML injection one. Malicious HTML code could be injected for example via innerHTML, which is used to render user inserted HTML code. If strings are not correctly sanitized the problem could lead to XSS based HTML injection. Another meth- od could be document.write()
When trying to exploit this kind of issue, consider that some characters are treated differently by different browsers. For ref- erence see the DOM XSS Wiki.
The innerHTML property sets or returns the inner HTML of an element. An improper usage of this property, that means a lack of sanitization from untrusted input and missing output encoding, could allow an attacker to inject malicious HTML code.
Example of Vulnerable Code: The following example shows a snippet of vulnerable code that allows an unvalidated input to be used to create dynamic html in the page context:
In the same way, the following example shows a vulnerable code using the document.write() function:
document.write(“<h1>Hello,” + user + “</h1>”)
In both examples, an input like the following:
Impact of HTML Injection
- It can allow attacker to modify the page
- To steal another persons identity
- Find Input parameter either Get Based or Post Based
- If your input Reflect back to you on web page then there may be HTMLi
- Execute any HTML code, if you success to execute any HTML code then there is HTMLi
Proof of Concept(POC) of HTMLI
HackerOne Unintended HTML Inclusion
Report Link: https://hackerone.com/reports/112935
Date Reported: January 26, 2016
Bounty Paid: $500
Within Security Content Spoofing
Report Link: https://hackerone.com/reports/111094
Date Reported: January 16, 2015
Bounty Paid: $250
HTML Injection presents a vulnerability for sites and developers because it can be used to mislead users and trick them into submitting sensitive information to, or visiting, malicious websites. Otherwise known as phishing attacks.
Discovering these vulnerabilities isn’t always about submitting plain HTML but exploring how a site might render your inputted text, like URI encoded characters. And while not entirely the same as HTML injection, content spoofing is similar in that it involves having some input reflected back to a victim in the HTML page. Hackers should be on the lookout for the opportunity to manipulate URL parameters and have them rendered on the site.