An In-depth look at HTML Injection:
To get a better perception of HTML Injection, firstly we should know what HTML is.
HTML is a markup language, where all the website’s elements are written in the tags. It is mostly being used for creating websites. Web pages are being sent to the browser in the form of HTML documents. Then those HTML documents are being converted into normal websites and displayed for the final users.
This tutorial will give you a complete overview of HTML Injection, its types and preventive measures along with practical examples in simple terms for your easy understanding of the concept.
What You Will Learn:
What is HTML Injection?
The essence of this type of injection attack is injecting HTML code through the vulnerable parts of the website. The Malicious user sends HTML code through any vulnerable field with a purpose to change the website’s design or any information, that is displayed to the user.
In the result, the user may see the data, that was sent by the malicious user. Therefore, in general, HTML Injection is just the injection of markup language code to the document of the page.
Data, that is being sent during this type of injection attack may be very different. It can be a few HTML tags, that will just display the sent information. Also, it can be the whole fake form or page. When this attack occurs, the browser usually interprets malicious user data as legit and displays it.
Changing a website’s appearance is not the only risk, that this type of attack brings. It is quite similar to the XSS attack, where the malicious user steals other person’s identities. Therefore stealing another person’s identity may also happen during this injection attack.
Acunetix Web Application Security Scanner has automation capabilities. It will let you schedule and prioritize full scans. It comes with built-in vulnerability management functionality that helps with managing the identified issues. It can be integrated with your current tracking system like Jira, GitHub, GitLab, etc.
Netsparker provides accurate and automated application security testing. It has functionalities for automating the security throughout the SDLC, providing the complete picture of app visibility, etc.
By using DAST + IAST scanning approach, it identifies more true vulnerabilities. It has capabilities for scanning websites, web applications, and web services, etc.
It identifies the vulnerabilities and provides proof of that vulnerability. If Netsparker has identified the SQL injection vulnerability then for the proof it provides the database name. Netsparker supports on-premise or in the cloud deployment.
Types of HTML Injection
This attack does not seem to be very difficult to understand or to perform, as HTML is considered as a quite simple language. However, there are different ways to perform this type of attack. We can also distinguish different types of this injection.
Firstly, different types may be sorted by the risks, that they bring.
As mentioned, this injection attack can be performed with two different purposes:
- To change the displayed website’s appearance.
- To steal another person’s identity.
Also, this injection attack can be performed through different parts of the website i.e data input fields and the website’s link.
However, the main types are:
- Stored HTML Injection
- Reflected HTML Injection
#1) Stored HTML Injection:
The main difference between those two injection types is that stored injection attack occurs when malicious HTML code is saved in the web server and is being executed every time when the user calls an appropriate functionality.
However, in the reflected injection attack case, malicious HTML code is not being permanently stored on the webserver. Reflected Injection occurs when the website immediately responds to the malicious input.
#2) Reflected HTML Injection:
This can be again divided into more types:
- Reflected GET
- Reflected POST
- Reflected URL
Reflected Injection attack can be performed differently according to the HTTP methods i.e, GET and POST. I would remind, that with POST method data is being sent and with GET method data is being requested.
To know, which method is used for appropriate website’s elements, we can check the source of the page.
For Example, a tester can check the source code for the login form and find what method is being used for it. Then appropriate HTML Injection method can be selected accordingly.
Reflected GET Injection occurs, when our input is being displayed (reflected) on the website. Suppose, we have a simple page with a search form, which is vulnerable to this attack. Then if we would type any HTML code, it will appear on our website and at the same time, it will be injected into the HTML document.
For Example, we enter simple text with HTML tags:
Reflected POST HTML Injection is a little bit more difficult. It occurs when a malicious HTML code is being sent instead of correct POST method parameters.
For Example, we have a login form, which is vulnerable to HTML attack. Data typed in the login form is being sent with POST method. Then, if we would type any HTML code instead of the correct parameters, then it will be sent with POST method and displayed on the website.
To perform Reflected POST HTML attack, it is recommended to use a special browser’s plugin, that will fake the sent data. One of it is Mozilla Firefox plugin “Tamper Data”. The plugin takes over the sent data and allows the user to change it. Then changed data is being sent and displayed on the website.
For Example, if we use such a plugin then we would send the same HTML code <h1>Testing test</h1>, and it will also display the same as the previous example.
Reflected URL happens, when HTML code is being sent through the website URL, displayed in the website and at the same time injected to the website’s HTML document.
How is HTML Injection Performed?
In order to perform this type of injection, firstly, the malicious user should find vulnerable parts of the website. As it was mentioned, vulnerable parts of the website may be data input fields and website’s link.
Malicious HTML code can get into the source code by innerHTML. Let’s remember, that innerHTML is the property of DOM document and with innerHTML, we can write dynamic HTML code. It is used mostly for data input fields like comment fields, questionnaire forms, registration forms, etc. Therefore those elements are most vulnerable to HTML attack.
Suppose, we have a questionnaire form, where we are filling appropriate answers and our name. And when the questionnaire is completed, an acknowledgment message is being displayed. In the acknowledgment message, the indicated user‘s name is also being displayed.
The message may look as shown below:
As we understand, Tester_name is the name indicated by the user. Therefore, this acknowledgment message code may look like below:
document.getElementById(“Thank you for filling our questionnaire”).innerHTML=” Thank you for filling our questionnaire, ”+user;
The demonstrated code is vulnerable to such an attack. If in the questionnaire form we would type any HTML code, its message would be displayed on the acknowledgment page.
The same happens with the comment fields as well. Suppose, if we have a comment form, then that is vulnerable to the HTML attack.
In the form, the user types his name and comment’s text. All saved comments are listed in the page and loaded on the page load. Therefore, if malicious code was typed and saved, it also will be loaded and displayed on the website.
For Example, if in the comments field we would save the code as mentioned below then a popup window with the message “Hello world!” would be displayed on the page load.
<html> <body> <script> alert( 'Hello, world!' ); </script> </body> </html>
Another way for this type of injection to be performed is through the website’s link. Suppose, we have PHP website’s link.
As we see, “site” is a parameter and “1” is its value. Then if for the parameter “site” instead of value “1” we would indicate any HTML code with the text to display, this indicated text would be displayed in the “Page Not Found” page. This happens, only if the page is vulnerable to HTML attack.
Suppose, we are typing a text with the tags <h1>Testing</h1> instead of the parameter’s value.
Then we would get a text displayed on the website as shown below:
Also, as it was mentioned, not only a piece of the HTML code may be injected. The whole malicious page may be sent to the final user, too.
For Example, if the user opens any login page and types his credentials. In this case, if instead of an original page, a malicious page is being loaded and the user sends his credentials through this page, and the third party may get the user’s credentials.
How to Test Against HTML Injection?
When starting to test against possible injection attack, a tester should firstly list out all the potentially vulnerable parts of the website.
I would remind, that it may be:
- All data input fields
- Website’s link
Then manual tests could be performed.
When testing manually if an HTML Injection is possible, then simple HTML code could be entered – For Example, to check if the text would be displayed. There is no point to test with a very complicated HTML code, simple code may be enough to check if it is being displayed.
For Example, it may be simple tags with text:
<h1>HTML Injection testing</h1>
or search form code, if you would like to test with something more complicated
<form method="post" action="index.html"> <p><input type="text" name="search" value="" placeholder="Search text"></p> <p class="search_text"> <label> <input type="checkbox" name="search_text" id="search_text">
Type text to search
</label> </p> <p class="submit"><input type="submit" name="commit" value="Search"></p> </form>
If an HTML code being saved somewhere is displayed, then the tester can be sure, that this injection attack is possible. Then a more complicated code may be tried – for Example, to display the fake login form.
Another solution is HTML Injection scanner. Scanning automatically against this attack may save a lot of your time. I would like to notify, that there are not many tools for HTML Injection testing in comparison with other attacks.
However, one possible solution is WAS application. WAS can be named as a quite strong vulnerabilities scanner, as it tests with the different inputs and not just stops with the first failed.
It is helpful for testing, maybe as mentioned in the above browser plugin “Tamper Data”, it gets sent data, allows the tester to change it and sends to the browser.
We can also find some online scanning tools, where you only have to provide the website’s link and scanning against HTML attack will be performed. When testing is completed, the summary will be displayed.
I would like to comment, that when selecting a scanning tool, we have to pay attention on how it analyzes the results and is it accurate enough or not.
However, it should be kept in mind, that testing manually should not be forgotten. This way we can be sure what exact inputs are tried and what exact results we are getting. Also this way it is easier to analyze the results as well.
Out of my experience in a software testing career, I would like to comment, that for both the testing ways we should have good knowledge of this type of injection. Otherwise, it would be difficult to select an appropriate automation tool and analyze its results. Also, it is always recommended not to forget to test manually, as it just makes us more sure about the quality.
How to Prevent HTML Injection?
There are no doubts, that the main reason for this attack is the developer’s inattention and lack of knowledge. This type of injection attack occurs when the input and output are not properly validated. Therefore the main rule to prevent HTML attack is appropriate data validation.
Every input should be checked if it contains any script code or any HTML code. Usually it is being checked, if the code contains any special script or HTML brackets – <script></script>, <html></html>.
There are many functions for checking if the code contains any special brackets. Selection of checking function depends on the programming language, that you are using.
It should be remembered, that good security testing is also a part of prevention. I would like to pay attention, that as HTML Injection attack is very rare, there is less literature to learn about it and less scanner to select for automatic testing. However, this part of security testing really should not be missed, as you never know when it may happen.
Also, both the developer and tester should have good knowledge of how this attack is being performed. Good understanding of this attack process may help to prevent it.
Comparison with other Attacks
As mentioned earlier, the main purpose of this type of injection is changing the displayed website’s appearance with malicious purpose, displaying your sent information or data to the final user. Those risks may be considered as less important.
However, changed the website’s appearance may cost your company’s reputation. If a malicious user would destroy your website’s appearance, then it may change the visitor’s opinions about your company.
It should be remembered, that another risk, that this attack on website brings, is stealing other user’s identity.
As mentioned, with HTML Injection the malicious user may inject the whole page, that would be displayed for the final user. Then if the final user will indicate his login data in the fake login page, then it will be sent to the malicious user. This case is, of course, the more risky part of this attack.
It should be mentioned, that for stealing other user’s data, this type of attack is less frequently selected, as there are a lot of other possible attacks.
However, it is very similar to the XSS attack, which steals the user’s cookies and other users identities. There are also XSS attacks, which are HTML based. Therefore testing against XSS and HTML attack may be very similar and performed together.
As HTML Injection is not as popular as other attacks, it may be considered less risky than other attacks. Hence testing against this type of injection is sometimes skipped.
Also, it is noticeable, that there are definitely less literature and information about HTML Injection. Therefore testers may decide not to perform this type of testing. However, in this case, HTML attack risks maybe not evaluated enough.
As we have analyzed in this tutorial, with this type of Injection the whole design of your website may be destroyed or even the user’s login data may be stolen. Therefore it is highly recommended to include HTML Injection to security testing and invest good knowledge.
Have you come across any typical HTML Injection? Feel free to share your experiences in the comments section below.