Hello and welcome back guys. Hope everyone is doing good.
Today we are learning about HTML Injection, which can sometimes lead to XSS if the application allows you to. So let us learn how and where HTML injections can be performed.
What is HTML
HTML stands for HyperText Markup Language, which is used to create web pages. It basically describes how everything is set in the application, like where a paragraph should be, where a title should, and all that. You go to any web application, it uses HTML some or the other way. So the possibility of you finding this vulnerability is high.
What exactly is HTML Injection
Now you all have learned what HTML is let us get to know what injection is all about. An injection is simply putting something into something. Let me get it clear, in medical terms injection is giving you a drug or medicine through a needle, so in the same way, if we inject something arbitrary into a web application and if it reflects it is called injection.
So from the definition I meant, HTML Injection is simply putting arbitrary HTML code into an input field of a web application. If it gets executed, then we have found a vulnerability.
How to find one
So now we know what exactly is HTML injection, let us learn how to find one. The where part i.e., at what endpoints we are going to look into are
Username
First name
Last name
Search boxes
Any parameter which accepts input from users
Now we have a web application and we know it uses HTML and we have found the endpoints where we can look for possible attacks. So, let us move forward and find one.
Find an input parameter either POST or GET based.
Try to give some random input and see if your input reflects back to you on the web page. If so then there may be HTML but we are not sure.
So let us go ahead and execute any HTML code. If you get the executed output of the code in the web application then there is HTMLi.
We can also check for this vulnerability using Burp Suite or OWASP ZAP using the same steps
Capture the request of the web application and spider the host.
Send an URL to the repeater which contains input parameters as we discussed above.
If your input reflects back to you on the web page then there may be HTMLi.
Execute any HTML code, if you get the executed output of the code then there is HTMLi.
What are the possible outcomes
HTML Injection in Email
This works only if the web application sends you an email with the name, which you will provide during signup. (An example email body would be like “Hi HTML” . Notice that HTML is executed code)
Signup for a website.
Enter HTML code in the endpoints for name (<h1>HTML</h1> a basic html code)
Check, if your code is getting executed in the confirmation email sent for you from the web application.
Normal case of HTMLi
Signup for a website.
Enter HTML code in the endpoints for name or any other input parameters (<h1>HTML</h1> a basic html code)
Check if your code is getting executed in the dashboard.
You can also check for this type by changing your endpoints in profile settings and seeing if they are reflecting back.
How to chain it to XSS
XSS stands for Cross-Site Scripting. It is basically javascript code being executed in place of HTML code. So if HTML code is getting executed, check if you can insert javascript code and get back the result. XSS has more impact than HTML, so your attack would have high severity. But XSS is not easily available or found as the web application sanitizes the javascript code or tags. So if your code is getting sanitized, you can try encoding your payload and then inserting the encoded payload.
I will give you a brief about how this works and how to find one in my future articles, but for now, let us not rush ourselves by learning all at once. So take your time and practice and see if you can find any HTMLi.
That’s all from my side today guys. Hope you have enjoyed reading this as much as I enjoyed writing this and catch you up again in the next post with another vulnerability. Check out my Instagram to get more updates and tricks.
Till then take care and Happy Hacking!!!👋👋
