Text Injection

Text Injection

Overview of the Vulnerability

Content spoofing is a common attack where plaintext or HTML content is injected into a web page that can be rendered in a client. Due to this injection vulnerability in the application, users are often socially engineered to perform an action due to the inherent trust they have in the business and its brand.

Text injection in this application allows an attacker to insert any message into a web page that can trick users to navigate to another website, call a certain number, or start an email chain to a malicious address.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Perform {{action}} and capture the request in the HTTP interception proxy

4. Insert/Append the following payload to {{parameter}}:

{{Payload}}

1. Forward or replay the following request to the endpoint:

{{request}}

Proof of Concept (PoC)

The screenshot(s) below demonstrates the text injection:

{{screenshot}}

Recommendation(s)

There is no single technique to protect from content spoofing. However, the following best practices should be adhered to:

Validate all input data, including that which is reflected by a request parameter Refrain from passing HTML data via request parameters. Properly encode the HTML before passing it through a request parameter if there is no other way. Refrain from displaying messages via request parameter. It is best practice to use temporary sessions instead.

For more information, please see:

• https://capec.mitre.org/data/definitions/148.html

• https://owasp.org/www-community/attacks/Content_Spoofing

• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding