To get a better understanding of HTML Injection, firstly we should know what HTML is?
HTML is a markup language, where all the website’s elements are written in the tags. Web pages are sent to the browser in the form of HTML documents.
What is HTML Injection?
This injection attack is injecting HTML code through the vulnerable parts of the website. The Malicious user sends HTML code through any vulnerable field with the purpose to change the website’s design or any information that is displayed to the user. As a result, the user may see the data that was sent by the malicious user. Therefore, in general, HTML Injection is just the injection of markup language code to the document of the page.
Types of HTML Injection
- Stored HTML Injection
- Reflected HTML Injection
#1) Stored HTML Injection: stored injection attack occurs when malicious HTML code is saved in the web server and is being executed every time the user calls an appropriate functionality.
#2) Reflected HTML Injection: In the reflected injection attack case, malicious HTML code is not being permanently stored on the webserver. Reflected Injection occurs when the website immediately responds to the malicious input.
This can be again divided into more types:
- Reflected GET
- Reflected POST
- Reflected URL
For Example, I check the source code for the inquiry form on the Devshala site and find what method is being used for it, then the appropriate HTML Injection method can be selected accordingly.
How is HTML Injection Performed?
In this type of attack malicious user targets vulnerable parts of the website. Vulnerable parts of the website may be data input fields and the website’s link. The malicious HTML code can get into the source code by innerHTML. Let’s remember, that innerHTML is the property of DOM documents and with innerHTML, we can write dynamic HTML code. It is used mostly for data input fields like comment fields, questionnaire forms, registration forms, etc. Therefore those elements are most vulnerable to HTML attack.
Suppose, we have a questionnaire form, where we are filling in appropriate answers and our names. And when the questionnaire is completed, an acknowledgment message is being displayed. In the acknowledgment message, the indicated user‘s name is also being displayed.
The message may look as shown below:
How to Test against HTML Injection?
When testing manually if an HTML Injection is possible, then simple HTML code could be entered — For Example, to check if the text would be displayed. There is no point to test with a very complicated HTML code, the simple code may be enough to check if it is being displayed.
For Example, it may be simple tags with text: <h1>HTML Injection testing</h1>
If HTML code being saved somewhere is displayed, then the tester can be sure, that this injection attack is possible. We can also find some online scanning tools, where you only have to provide the website’s link, and scanning against HTML attacks will be performed.
How to Prevent HTML Injection?
This type of injection attack occurs when the input and output are not properly validated. Therefore the main rule to prevent HTML attacks is appropriate data validation.
Every input should be checked if it contains any script code or any HTML code. Usually it is being checked, if the code contains any special script or HTML brackets — <script></script>, <html></html>
Comparison with other Attacks
As we have analyzed, with this type of Injection the whole design of your website may be destroyed or even the user’s login data may be stolen. Therefore it is highly recommended to include HTML Injection in security testing.
Originally published at https://www.devstringx.com on May 18, 2019