HTML Content Injection
HTML Content Injection
Overview of the Vulnerability
HTML content injection is a common attack where plaintext or HTML content is injected into a web page that can be rendered in a client. Due to this injection vulnerability in the application, users are often socially engineered to perform an action due to the inherent trust they have in the business and its brand. An attacker to social engineer users to navigate to another website and have them enter information, such as their user credentials.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Perform {{action}} and capture the request in the HTTP interception proxy
Insert {{payload}} in {{parameter}} and forward or replay the following request to the endpoint:
{{request}}Proof of Concept (PoC)
The following screenshot(s) demonstrate(s) this vulnerability:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how to access the vulnerable injection point, and how to exploit the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature.
Attempt to escalate the HTML content injection. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
There is no single technique to protect from HTML content injection. However, the following best practices should be adhered to:
Validate all input data, including that which is reflected by a request parameter
Refrain from passing HTML data via request parameters. Properly encode the HTML before passing it through a request parameter if there is no other way.
Refrain from displaying messages via request parameter. It is best practice to use temporary sessions instead.
For more information, please see:
Last updated