Beginner Guide to HTML Injection

From W3schools

HTML is the standard HyperText Markup Language which uses for designing Web pages

  • HTML describes the structure of Web pages using markup.
  • HTML elements are the building blocks of HTML pages.
  • HTML elements are represented by tags.
  • HTML tags label pieces of content such as “heading”, “paragraph”, “table”, and so on.
  • Browsers do not show the HTML tags but utilize them to submit the content of the page.

HTML Tags

HTML tags are element names surrounded by angle brackets. Their two types of tag starting also known as opening tag and end tag also known as a closing tag.

HTML Elements

An HTML element usually consists of a start tag and end tag, with the content inserted in between:

HTML Attributes

Attributes provide additional information about HTML elements. Attributes generally come in form of name/value pairs like: name=”value”

Create a web page using HTML

Generally “Notepad” is useful for writing HTML code and save the text file with a .html/.htm extension for example “test.html” then open the saved file using any web browser.

To create a simple web page type following code inside notepad and save test.html

When you will open test.html in a web browser you will see given below image.

  • The <!DOCTYPE html> declaration defines this document to be HTML5
  • The <html> element is the root element of an HTML page
  • The <head> element contains meta information about the document
  • The <title> element specifies a title for the document
  • The <body> element contains the visible page content; have the bgcolor attribute as “pink”
  • The <br>element defines break line/next line
  • The <h1> element defines a large heading
  • The <p> element defines a paragraph

HTML Versions

Since the early days of the web, there have been many versions of HTML:

Version Year
HTML 1991
HTML 2.0 1995
HTML 3.2 1997
HTML 4.01 1999
XHTML 2000
HTML5 2014

To learn more about HTML visit to w3schools.com

HTML injection

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and the attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could use element and attributes to submit HTML content.

If these methods are provided with untrusted input, then there is a high risk of XSS, specifically an HTML injection one. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

Their two types of html injection as following:

  • Stored HTML
  • Reflected HTML

Stored HTML

A stored HTML also was known as Persistence because through this vulnerability the injected malicious script get permanently stored inside the web-server and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected HTML code will get executed by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for the administrator or another user.

Example:

An example of a web application vulnerable to stored HTML injection which allows users to submit their entry in the blog as shown in the screenshot.

Firstly user “raj” had made a normal entry as an attacker which is successfully added in the web server database.

Enter following html code inside the given text area for making HTML attack.  

Above HTML code will generate a payload to create a user login page on a targeted web page and forward that credential to attacker’s IP.

You can see given below login page looks valid to the user and get stored inside the web server.

Now when the victim will open the malicious login page he will receive above web page which looks official to him and he will submit his credential in that page. As he will do so the request will be forward on attacker IP address.

The attacker will receive users credential as a response on netcat. From the screenshot, you can read username=bee & password=bug

Now attacker will use these credential for login.

Reflected HTML

The reflected HTML. HTML is also known as Non-Persistence is occurred when the web application responds immediately on user’s input without validating the inputs this lead an attacker to inject browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.

 The most common applying of this kind of vulnerability is in Search engines in the website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

 Example:

Following web page allow a user to submit his first and last name but these text fields are vulnerable to HTML injection.

Now type following html code in the text field given for the first name which creates a link for hackingarticles.in when you click on “RAJ”

Similarly type following code in the given text field for the last name:

Click on Go tab to execute this as first and last name.

From given screenshot, you can see it has submitted RAJ CHANDEL and the word “RAJ” contains a link for hackingarticles.in when you will click on the link it will forward to hackingarticles.in

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *