HTML Injection

Explanation

HTML injection is a type of injection attack very similar to XSS attacks. The injection method is identical, with the difference being that in an HTML injection attack, the injected content consists solely of HTML code.

While this vulnerability is less dangerous than XSS, it can still have significant consequences and be used for malicious purposes. For example, it can disclose user session cookies, which can be used for impersonating the victim, or allow an attacker to change the content of the page as viewed by the victims.

Like XSS attacks, HTML injection can be reflected or stored. In a reflected attack, the malicious HTML code is not permanently stored on the web server; the website immediately responds to the malicious input. In a stored attack, the malicious HTML code is stored on the web server and executed whenever the user performs the specific action.

This vulnerability occurs when user input is not properly validated and the output is not encoded. HTML injection allows an attacker to send a malicious HTML page to the victim. Since the victim’s browser cannot distinguish between legitimate and malicious parts, it executes all received content as legitimate.

A wide range of methods exist to deliver HTML content, but if these methods involve untrusted, unvalidated input, they pose risks of various attacks, including XSS and HTML injection. For instance, the innerHTML property internally sets and returns the HTML content of an element. Misuse of this property, meaning the failure to validate untrusted input and encode the output, allows an attacker to inject malicious HTML code.

Below is an example of a vulnerable code snippet that receives unvalidated input to create dynamic HTML pages:

var userPosition = location.href.indexOf("user=");

var user = location.href.substring(userPosition + 5);

document.getElementById("Welcome").innerHTML = "Hello, " + user;

In this example, an input like the one below will add a tag to the page that executes arbitrary JavaScript code:

http://vulnerable.site/page.html?user=<img%20src=’aaa’%20onerror=alert(1)>

The above input includes an img tag to add an image to the page, but due to the lack of input validation and special HTML character removal, it can execute JavaScript code written by the attacker within the HTML page.

Solution and Prevention

• Use parameterization and avoid directly placing user input into HTML pages and tags.
• Use a server-side whitelist to validate inputs.
• Employ escaping mechanisms for special HTML characters in user input.
• Utilize web application firewalls whenever possible.
• Configure firewalls to control outbound traffic.
• Use a generic error page to display errors.

References

• https://owasp.org/www-pdf-archive/OTGv4.pdf
• https://www.acunetix.com/blog/web-security-zone/html-injections/
• https://www.imperva.com/learn/application-security/html-injection/
• https://www.softwaretestinghelp.com/html-injection-tutorial/