It is a kind of attack in which HTML code is injected through the vulnerable parts of the website with the purpose to change the design or information, that is displayed to the user. As a result, the user may see the data or information that was sent by the malicious user. In simple terms, it can be used to deface a web page or redirect the user to a malicious website.
This injection attack can be performed with two different purposes:
- To change the displayed information or website’s appearance.
- To steal another person’s identity.
Two main types of HTML injection attack:
- Reflected HTML Injection: Malicious HTML code is not being permanently stored on the webserver. It occurs when the website immediately responds to the malicious input.
- Stored HTML Injection: The attack occurs when malicious HTML code is saved in the web server and is being executed every time when the user calls an appropriate functionality.
Proof of Concept:
There was a contact us/registration page on the application, after submitting the details an email was sent to the user/application owner. HTML injection in E-mail was found while analyzing the application behavior.
Following are the steps:
- Open the contact us Page of the application, enter your email id and name. In the Name parameter/comment, Inject HTML Injection payload.
<a href=”uat-v4nodexpert.successive.work”><h1>Please click here to get Rs1000 cashback directly to your account<h1></a>
- A new email is sent to the user/application owner, where the payload is successfully executed.
Impact of HTML Injection
Some possible attack scenario is demonstrated below:
- It can allow an attacker to modify the displayed information or it can change the page.
- This will help in stealing another person’s identity.
- Attacker discovers injection vulnerability and decides to use an HTML injection attack.
- Attacker crafts malicious links by including his injected HTML content, and sends it to a user via email or digital medium.
- The user visits the page.
- The attacker’s injected HTML is rendered and presented to the user asking for a username and password or any other field.
- The user enters a username and password, which are both sent to the attacker’s server due to which he/she can suffer an identity theft.
Mitigation of HTML Injection
The attack occurs due to the developer’s negligence and lack of knowledge. Also, this type of attack occurs due to the non-validation of the input and output, therefore it is important to have data validation in place to prevent such attacks.
- Input sanitization, Enforce Zero trust policy on user inputs
- Every input should be checked if it contains any script code or any HTML code like this <script></script>, <html></html> then system show a validation error message.
- There are many functions for checking whether the code contains any special brackets and the selection of checking function depends on the programming language that user is using.
- Enforce input validation on both front end and back end don’t reply on front end only.