Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to realize HTML injection

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to achieve HTML injection". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is HTML?

HTML is called Hypertext markup language, which is a kind of markup language. It includes a series of labels. Through these tags, the document format on the network can be unified, and the scattered Internet resources can be connected into a logical whole. HTML text is a descriptive text composed of HTML commands. HTML commands can describe text, graphics, animation, sound, tables, links, and so on. HTML is used to design a Web site that contains "hypertext" to include text in text as a hyperlink and to contain a combination of elements that wrap data items to display in the browser.

So what are these elements?

"an element is all the content of a HTML page, that is, it contains the start and end tags and text content in between."

1. HTML tag

The HTML tag marks fragments of content, such as "title", "paragraph", "form", and so on. The tag element in the tag symbol is enclosed in angle brackets, and the slash element indicates the end of the tag; most tags must be used in pairs to indicate the beginning and end of the action. Instead of displaying these HTML tags, browsers use them to capture the content of the web page.

2. HTML attribute

Hypertext markup language defines element content of multiple data types, such as script data and stylesheet data, and attribute values of many types, including ID, name, URI, number, length unit, language, media descriptor, color, character encoding, date and time, and so on. All of these data types are professional character data.

Here, "href" is the "attribute name" and "http:// hackingarticles" is the "attribute value".

Now that we understand the basic HTML terminology, let's take a look at the "HTML element flowchart" and then further try to implement them all to create a simple Web page.

3. Basic HTML page:

Every web page on the Internet is an HTML file. These files are simply plain text files with the extension ".html" that are saved and executed through a web browser.

So let's try to create a simple web page in notepad and save it as hack.html:

Let's execute the "hack.html" file in the browser and see what happens.

We have successfully designed our first web page. But how these tags work for us, let's take a look at them:

Marker character

< html>

Indicates that the file is described in hypertext markup language, it is the beginning of the file, and represents the end of the file, they are the beginning and end tags of hypertext markup language files.

The actual content displayed in the web page is contained between the two body markers Text markers are also known as entity tags.

The tag is empty and a simple newline character can be inserted.

The tag is used to set the title text in the page, and the set text will be displayed in bold or bold on the page.

It's the beginning of the paragraph.

It's the end mark of the paragraph.

Tag defines an anchor (anchor). This helps us to establish "hyperlinks". Anchors have two uses to create a link to another document (through the href property) and to create a bookmark inside the document (through the name property)

I think you now know "what is HTML and its main uses" and "how do we achieve all this". So let's try to identify the main vulnerabilities and see how an attacker can inject arbitrary HTML code into a vulnerable web page to modify managed content.

Brief introduction of HTML injection

HTML injection is one of the simplest and most common vulnerabilities, when a web page cannot clean up user-supplied input or verify output, so that an attacker can forge his own payload and inject malicious HTML code into the application through vulnerable fields, thereby modifying the content of the web page or even obtaining some sensitive data.

Let's take a look at this scenario and see how this HTML injection attack is performed:

Suppose you have a web application that has a HTML injection vulnerability and does not validate any specific input. Therefore, attackers take advantage of this to inject malicious "HTML login forms" into the "free movie ticket" scam to induce victims to submit their sensitive credentials.

When the victim browses that particular web page, he finds these "free movie tickets" options, and when he clicks on it, he will see the application's login screen, but these are just "HTML forms" carefully crafted by the attacker. Therefore, once he enters his credentials, the attacker captures all the credentials, causing the victim to divulge his data.

Effect of HTML injection

Sometimes this HTML injection vulnerability can lead to cross-site scripting (XSS) or server-side request forgery (SSRF) attacks when the input fields in the web page are not cleaned correctly. As a result, the vulnerability has a severity level of "medium" and a CVSS score of 5.3, as follows:

CWE-80: incorrect neutralization of script-related HTML tags in a web page.

CWE-79: incorrect input during web page generation to neutralize.

HTML injection, XSS

During this attack, we have a chance to avoid performing a HTML injection attack, while we encounter a XSS attack because HTML injection is almost similar to cross-site scripting. But if we look closely at the relationship between the two, we will find that during XSS attacks, attackers have the opportunity to inject and execute Javascript code, while in HTML injection, attackers must use certain HTML tags to destroy web pages.

Now, let's take a closer look at the different HTML injection attacks and see how the exception destroys the web page and captures the victim's credentials.

Stored HTML

Through this vulnerability, the injected malicious script is permanently stored in the web application server, and when the user visits the injected web page, the application server will further pass it back to the user. However, when the client clicks on the payload that appears as an official part of the Web site, the injected HTML code is executed by the browser.

The most common example of Stored HTML is the "comment option" in the blog, which allows any user to enter their feedback in the form of comments from administrators or other users.

Now, let's try to exploit the HTML vulnerability in this store and get some credentials.

Using Stored HTML

I opened the target IP in my browser and logged into BWAPP as bee:bug. In addition, I set the "Choose Your bug" option to "HTML injection-Storage (Blog)" and launched the hack button.

We will now be redirected to the web page, which has a HTML injection vulnerability that allows users to submit their entries in blog, as shown in the screenshot.

First, we will generate a normal user entry as "Hacking Articles" through "bee" to confirm that the input data has been successfully stored in the database of the web server so that it is visible in "entry field".

Now, let's try to inject our malicious payload, which will create a fake user login form on this target page to forward the captured request to our IP.

Enter the following HTML code in the given text area to set up a HTML attack.

As you can see from the picture below, when I click the "submit" button, a new login form is already displayed on the page. As a result, the login form is now placed in the application's web server, and whenever the victim visits the malicious login page, it renders the form, which in his view is official.

Now let's enable the netcat listener on port 4444 to capture the victim's request.

This requires patience until the victim launches this page to enter his browser and enters his credentials.

From the image above, you can see that the user "Raj" opened the web page and tried to log in as raj:123.

So let's go back to the listener and check to see if the credentials were captured in the response.

As you can see from the following figure, we have successfully obtained the credentials.

Reflected HTML

When the web application responds immediately to the user's input without validating the user's input, a reflected HTML (also known as "non-persistence") occurs, which can cause an attacker to inject browser executable code into a single HTML response. Because malicious scripts are not stored in the web server, attackers need to send malicious links through phishing to trap users.

This vulnerability is easy to find in the site's search engine: here, the attacker writes some arbitrary HTML code in the search text box, and if the site has a vulnerability, the resulting page is returned as a response to these HTML entities.

Basically, there are three types of reflection HTML:

Reflected HTML GET

Reflected HTML POST

Reflected HTML Current URL

Before we take advantage of Reflected HTML, let's recall that using the GET method, we request data from a specific source, while the POST method is used to send data to the server to create / update resources.

Reflected HTML GET

Here, we create a web page so that the user can submit "feedback" with his "name".

Therefore, when the user "Raj Chandel" submits his feedback with "Good", a message says, "Thank you, Raj Chandel, for your valuable time."

Therefore, this immediate response and the "name/value" pair in URL show that the page may be vulnerable to HTML injection and that the data is requested through the GET method.

So now let's try to inject some HTML code into this "form" to confirm it. Type the following script in the name field, as follows:

And set the feedback to good.

You can see from the picture below that the user's name "Raj Chandel" has been changed to the title in the response message.

To know why, let's take a look at the following code snippet.

In order to reflect the message on the screen, the developer does not set any input validation, that is, he just "echoes"thank you message" by "$\ u GET" variable containing the input name.

"sometimes developers set some validation in the input field to re-reference our HTML code to the screen without rendering it."

As you can see from the following figure, when I tried to execute the HTML code in the name field, it put it back as plain text, as shown below:

So has the loophole been fixed?

Let's check all this with our assistant "burpsuite" to capture its request and send the captured request directly to the "Repeater" tab.

In the "Repeater" tab, when I click the "Go" button to check the generated response, I find that my HTML entity is decoded here by HTML as:

So, I handled the complete HTML code. "

< a href=http://hackingarticles.in" >

< h3 >

Raj

< /h3 >

< /a >

"and paste it all into the decoder tab. On the tray on the right, I clicked" Encoding as "and selected URL one.

After we get the encoding output, we will set it again in the "encode as" of the URL to get the dual URL encoding format.

Now let's try copying the complete double-coded URL and pasting it into the "name =" field in the Repeater tab of the Request option.

Click the execute button to check the response it generated.

As you can see from the following figure, we have successfully manipulated the response.

Now, just make a similar change in the agents tab, and then click the forward button. As you can see from the following figure, we also broke this page through its validation field.

Let's examine the code snippet to see where the developer validates the input:

As you can see from the picture below, the developer here has made a "hack" function for the variable data, and even he will "

From the picture below, you can see that the developer implemented the function hack in the name field.

Reflected HTML POST

Similar to "GET webpage", the "Name" and "Feedback" fields also have vulnerabilities because the POST method has been implemented, so the form data is not displayed in the URL.

Let's try to destroy this page again, but this time we will add an image instead of static text

From the following figure, you can see that the "Ignite technologies logo" has been placed at the top of the screen, so an attacker can even insert other media formats such as video, audio, or GIF here.

Reflected HTML Current URL

If there are no input fields on the web page, will web applications be vulnerable to HTML injection attacks?

Yes, you don't need an input file like a comment box or a search box, and some applications display your URL on their web pages, and they may be attacked by HTML injection, because in this case, URL acts as its input field.

From the image above, you can see that the current URL is displayed as "http://192.168.0.16/hack/html_URL.php" on the web page. So let's seize the opportunity and see what we can get.

Adjust your "burpsuite" and capture ongoing HTTP requests

Now let's process this request using the following command:

Click the forward button to check the results on the browser.

From the picture below, you can see that we have successfully destroyed the website, just inject the HTML code we need into the URL of the web application.

Let's take a look at its code and see how developers can get the current URL on the screen.

Here, the developer uses the PHP global variable as $_ SERVER to capture the current page URL. In addition, he modified the hostname with "HTTP_HOST" and the requested resource location of URL with "REQUEST_URI" and put it all in the $url variable.

In the HTML section, he only needs to set echo with the $url variable without any specific validation in order to display the message with url.

Mitigation measures

The developer should set up his HTML script to filter metacharacters from user input

Developers should implement functions to validate user input so that it does not contain any specific tags that may cause virtual corruption.

This is the end of "how to implement HTML injection". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report