HTML Injection is a browser based attack. It had nothing to do with the server but it takes victim as the client.In this attack, the web application can be injected with malicious html code by the attacker, changing the outlook of the web application so as to gain confidential information from the user, using that website, then the injected malicious webpage can be sent by using email or social engineering means. It is one of the top most vulnerabilities of a web application. It is also used to carry out XSS attack.It’s same as XSS.
To illustrate how you can check a website for HTML Injection vulnerability, I used the following:
- Bwapp – a buggy web application
- VirtualBox – to run the buggy web application
- Mozilla Browser
- hackbar – for url encoding
If you are trying to attack a web application always go for mozilla, it provides a lot of handy plugins and it is nice to work with. This is the Reflected GET attack scenario in which the input is sent in the URL, not the body.
Let’s get to the real thing now:
Login to bwapp and select HTML Injection – low level
The above page will appear. We got two different fields here first name and last name. Let’s write something in those field to see where and what output we will get.
In the above screenshot you can see that the name that we have entered appeared on the page means it is reflecting back to us. In such scenario we go for HTML Injection/ Cross site scripting. You have to find the parameters in the website that takes user input, like search boxes, comment sections or like the one shown in bwapp.
Time to attack :
In the screenshot below, I have written html tags in the first name and last name field : <h1>Hacked by</h1> and <h1>Atomic Wraith</h1>
After I hit Go, below is the output I have obtained. Here, you can see the hacked by atomic wraith is reflected like the heading 1 of the webpage. Hence, this is how HTML Injection looks like. Now, think of the ways in which you can inject a form in it or an iframe which takes credentials from user. Now user will think its legit since the page is generated from the same domain and the form will look like any other legit form.
I am now changing the level to medium.
After changing the level to medium, this is what I get. When I injected <h1>Hacked by <h1> <h1>Atomic Wraith</h1> in the first name and last name field. It is taking the input as it is ans reflecting on to the page.
Whenever you see something like above happening, Always go see the Source of the page. Right Click and view source page.
When you see the code, it looks like the brackets are encoded to html entity and everything else is the way it is. But without bracket our code won’t be rendered by the browser. This particular technique is called html entity encoding. It is one of the techniques to filter the input from the user. The html entity encoding scheme renders the symbols into html entity so they rectify the HTML Injection Situation.
How to bypass?
There could be more than one way but the thing that worked for me is URL ENCODING.
In the hackbar, I have typed these to show you. I will be putting them in the first name and last name. Hackbar provide us with many encoding and decoding features.
Select the strings you want to encode and then go to encoding –> URL encode.
Once you do that and put them in first name and last name and hit Go…the injection will be executed!
The URL encoding, encode the symbols in URL into URL form.Since the injection code no longer contains any symbol or quotes like HTML language has, it will pass the HTML entity encode, Now browser is going to render the URL encode because that’s what browsers do and it will show you the vulnerability.
If you are checking any website for this attack, and even URL encoding doesn’t work then go for double URL encoding.
Also, if it still doesn’t bypass try to change the single quotes to (`)ticks. something like alert(`XSS`). This will be rendered as XSS alert by browser in some cases and it will produce the output that you want.