HTML Injection Tutorial:

-

HTML Injection Tutorial: Types & Prevention With Examples:-


HTML is a markup language, where all the website’s elements are written in the tags. It is mostly being used for creating websites. Web pages are being sent to the browser in the form of HTML documents. Then those HTML documents are being converted into normal websites and displayed for the final users.

This tutorial will give you a complete overview of HTML Injection, its types and preventive measures along with practical examples in simple terms for your easy understanding of the concept.





What is HTML Injection?

The essence of this type of injection attack is injecting HTML code through the vulnerable parts of the website. The Malicious user sends HTML code through any vulnerable field with a purpose to change the website’s design or any information, that is displayed to the user.

In the result, the user may see the data, that was sent by the malicious user. Therefore, in general, HTML Injection is just the injection of markup language code to the document of the page.

Data, that is being sent during this type of injection attack may be very different. It can be a few HTML tags, that will just display the sent information. Also, it can be the whole fake form or page. When this attack occurs, the browser usually interprets malicious user data as legit and displays it.

Changing a website’s appearance is not the only risk, that this type of attack brings. It is quite similar to the XSS attack, where the malicious user steals other person’s identities. Therefore stealing another person’s identity may also happen during this injection attack.

Types of HTML Injection:

This attack does not seem to be very difficult to understand or to perform, as HTML is considered as a quite simple language. However, there are different ways to perform this type of attack. We can also distinguish different types of this injection.



Firstly, different types may be sorted by the risks, that they bring.

As mentioned, this injection attack can be performed with two different purposes:

  • To change the displayed website’s appearance.
  • To steal another person’s identity.

Also, this injection attack can be performed through different parts of the website i.e data input fields and the website’s link.

However, the main types  are:

  • Stored HTML Injection
  • Reflected HTML Injection

#1) Stored HTML Injection:

The main difference between those two injection types is that stored injection attack occurs when malicious HTML code is saved in the web server and is being executed every time when the user calls an appropriate functionality.

However, in the reflected injection attack case, malicious HTML code is not being permanently stored on the webserver. Reflected Injection occurs when the website immediately responds to the malicious input.

#2) Reflected HTML Injection:

This can be again divided into more types:

  • Reflected GET
  • Reflected POST
  • Reflected URL

Reflected Injection attack can be performed differently according to the HTTP methods i.e, GET and POST. I would remind, that with POST method data is being sent and with GET method data is being requested.

To know, which method is used for appropriate website’s elements, we can check the source of the page.

How is HTML Injection Performed?

In order to perform this type of injection, firstly, the malicious user should find vulnerable parts of the website. As it was mentioned, vulnerable parts of the website may be data input fields and website’s link.

Malicious HTML code can get into the source code by innerHTML. Let’s remember, that innerHTML is the property of DOM document and with innerHTML, we can write dynamic HTML code. It is used mostly for data input fields like comment fields, questionnaire forms, registration forms, etc. Therefore those elements are most vulnerable to HTML attack.

Suppose, we have a questionnaire form, where we are filling appropriate answers and our name. And when the questionnaire is completed, an acknowledgment message is being displayed. In the acknowledgment message, the indicated user‘s name is also being displayed.

How to Test Against HTML Injection?

When starting to test against possible injection attack, a tester should firstly list out all the potentially vulnerable parts of the website.

I would remind, that it may be:

  • All data input fields
  • Website’s link

Then manual tests could be performed.

When testing manually if an HTML Injection is possible, then simple HTML code could be entered – For Example, to check if the text would be displayed. There is no point to test with a very complicated HTML code, simple code may be enough to check if it is being displayed.

For Example, it may be simple tags with text:

<h1>HTML Injection testing</h1>

or search form code, if you would like to test with something more complicated

<form method="post" action="index.html">
<p><input type="text" name="search" value="" placeholder="Search text"></p>
<p class="search_text">
<label>
<input type="checkbox" name="search_text" id="search_text">

Type text to search

</label>
</p>
<p class="submit"><input type="submit" name="commit" value="Search"></p>
</form>

If an HTML code being saved somewhere is displayed, then the tester can be sure, that this injection attack is possible. Then a more complicated code may be tried – for Example, to display the fake login form.

Another solution is HTML Injection scanner. Scanning automatically against this attack may save a lot of your time. I would like to notify, that there are not many tools for HTML Injection testing in comparison with other attacks.

However, one possible solution is WAS application. WAS can be named as a quite strong vulnerabilities scanner, as it tests with the different inputs and not just stops with the first failed.

It is helpful for testing, maybe as mentioned in the above browser plugin “Tamper Data”, it gets sent data, allows the tester to change it and sends to the browser.

We can also find some online scanning tools, where you only have to provide the website’s link and scanning against HTML attack will be performed. When testing is completed, the summary will be displayed.

I would like to comment, that when selecting a scanning tool, we have to pay attention on how it analyzes the results and is it accurate enough or not.

However, it should be kept in mind, that testing manually should not be forgotten. This way we can be sure what exact inputs are tried and what exact results we are getting. Also this way it is easier to analyze the results as well.

Out of my experience in a software testing career, I would like to comment, that for both the testing ways we should have good knowledge of this type of injection. Otherwise, it would be difficult to select an appropriate automation tool and analyze its results. Also, it is always recommended not to forget to test manually, as it just makes us more sure about the quality.

How to Prevent HTML Injection?

There are no doubts, that the main reason for this attack is the developer’s inattention and lack of knowledge. This type of injection attack occurs when the input and output are not properly validated. Therefore the main rule to prevent HTML attack is appropriate data validation.

Every input should be checked if it contains any script code or any HTML code. Usually it is being checked, if the code contains any special script or HTML brackets – <script></script>, <html></html>.

There are many functions for checking if the code contains any special brackets. Selection of checking function depends on the programming language, that you are using.

It should be remembered, that good security testing is also a part of prevention. I would like to pay attention, that as HTML Injection attack is very rare, there is less literature to learn about it and less scanner to select for automatic testing. However, this part of security testing really should not be missed, as you never know when it may happen.

Also, both the developer and tester should have good knowledge of how this attack is being performed. Good understanding of this attack process may help to prevent it.

Comments

Post a Comment

Popular posts from this blog

Hack Android with Infect Virus Installation and Usees

-
Image
HACK ANDROID WITH INFECT TERMUX HACKING TOOL Android devices are popular in the world. Imagine how funny if you infect your friend’s device even if you don’t have hacking skills. Infect best Termux hacking tool will help us to do that. What is infect? Infect is a bash-based script that is officially made for Termux users and from this tool you can spread the android virus by just sending a link. Also, Infect is available on Termux, developers of this tool tested in on Termux. What are it’s features? Infect have some interesting features. Which are following:- [+] Dangerous virus tool! [+] Updated maintenance! [+] Easy for beginners! [+] Working virus tool for Termux! Installation process:- Now, before you install infect make sure you update and upgrade Termux. you can use these commands: $ apt-get update $ apt-get upgrade Then, after Termux finishes updating and upgrade, we move to the second step which is to install python. Do it only if you have not yet install python otherwise, you ...
Read more

Hack Pubg account with termux in Android phone

-
Image
PUBG Phishing Tool Termux Hey guys, Most  of  you  guys  who are   commenting    about   how   you   can   Hack   PUBG   Accounts   with Termux,  This   post   is   for   you   because   in   this    Shot   Guide    I   am  gonna   show   you   how   you can    use   a   simple   tool   to   make   PUBG   Phishing  pages in  under  1  minute .  Make  sure  to  follow  the   steps right   and   also    read   the   full   blog    because   I  am gonna   give  you   some  ...
Read more

Cascading Style Sheet (CSS) Injection

-
Image
  Overview Cascading style injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response with a style attribute. In other words, the attacker can send input which later is incorporated into the web page the user receives. Discovery Methodology Inject all available parameters of the web page with a searchable string such as the word "CANARY" along with characters generally useful in writing HTML, JavaScript or other code. Search the response carefully noting any location where the test string appears unencoded in a style attribute. These locations may allow Cascading style injection. Hint: An example injection might be <CANARY={}""()'';#$--/>1. Adding a sequencial integer to the test input can help determine which of the inputs parameters resulted in the response string found. Exploitation Determine the prefix and suffix needed to make the injected code "fit" syntatically t...
Read more