Monday, 23 April 2018

HTML INJECTION ATTACK

HTML INJECTION ATTACK


INTRODUCTION:

HTML injection is an attack which occurs in web applications that allows users to insert an HTML tag attributes via using any specific parameters like,  <h>, </h1>, <td>, <tr>, <a href> tags are used as one of the sources to perform this HTML based injection attack.
These strategies provided with untrusted input, at that point there is a high risk of XSS, specifically an HTML injection one. If strings not sanitised efficiently, the issue could prompt XSS based HTML injection. This HTML injection could lead the attacker to modify the web content easily.

POSSIBLE ATTACK SCENARIO:

In this way, how we can perform an HTML injection attack using the following steps,
  •  In this beginning process, an attacker can find the injection flaw and try to make an HTML injection attack.
  • Attacker crafts the malicious links, including his infected HTML injection code and sends it to a client through an email
  • When the client visits the web page because of the page located within a trusted domain
  • The attacker can inject an HTML code is rendered and presented to the client requesting valid credentials like username and password
  • The client enters a username and password, which are both sent to the attacker server.
HTML injection attack also have two different types, there are
  • stored HTML injection attack
  • Reflected HTML injection attack

STORED HTML INJECTION ATTACK

In this stored HTML is also known as persistence (always stored in the backend database), the attacker can give the credentials inserting in the web server it can be stored in permanently, and the application server gives out it to the user when the user visits the targeted website. Here I have to give a sample HTML code for the stored HTML injection.
When the client clicks the payload, it gets redirected to the official part of the website; the injected HTML code will get executed by the browser.

REFLECTED HTML INJECTION

The reflected HTML is known as Non-persistence (It does not store in the backend database, it will get immediately indicated). Whenever the backend server processes any HTML input without proper sanitisation and validation of the given HTML input,  it will lead to HTML injection in the web application.

Here I have to give the input like <h>you are hacked</h>, and it will reflect as ‘you are hacked “ class=” colourbox” title=” help me with page”>

MITIGATION FOR HTML INJECTION:

Here we used parameterised queries to block unwanted scripts for the HTML injection using special characters like <, >, “, ‘, %, &, / to appropriately sanitised in the given input fields. The favoured choice is to utilise a protected API which stays away from the utilisation of the translator entirely or provides a parameterised interface. Be careful of APIs, for example, put away methods, are parameterised.
If a parameterised API isn’t accessible, you should carefully escape unique characters utilising the appropriate escape grammar for that translator.

CONCLUSION:

HTML injection is similar to cross-site scripting vulnerability (XSS), which affects the client side. So, HTML injection can exploit in the same way as that of cross-site scripting which includes adding HTML data to the web application, temporary defacement of website etc… hence it is necessary to prevent web applications from HTML injection.

AUTHOR

Aravindan S
Security Engineer
BriskinfoSec Technology and Consulting  Pvt Ltd.,
https://www.linkedin.com/in/aravindhan-s-90b98787/

No comments:

Post a Comment